Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Locker, Please help, Have already paid in bit coin to get my files


  • This topic is locked This topic is locked
6 replies to this topic

#1 mitch04

mitch04

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 03 February 2016 - 04:52 AM

Hi,

 

I have accidentally opened up a file from my emails and crypto locker and locked all my files. I have had to a key which was $1250 Australian dollars in bit coins to download a software to decrepit all my data. The decryption has been going on for about 4 hours so far but not sure when it will end. Can anyone please give me hope that All my files will come back?? I have very important files that were on my server for my business which i cannot access.

 

Thanks 

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 03 February 2016 - 08:40 AM


The original CryptoLocker Ransomware which first appeared in the beginning of September 2013...does not exist anymore and hasn't since June 2014. There are several copycat and fake ransomware variants which use the CryptoLocker name but those infections are not the same. Any references to CryptoLocker and retrieving keys for it will not work anymore.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, 
_secret_code.txt, About_Files.txt, Read.txt, ReadMe.txt, DECRYPT_ReadMe.TXT, DecryptAllFiles_.txt
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, HELP_DECYPRT_YOUR_FILES.HTML, help_decrypt_your_files.html
HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.txt, howto_recover_file_.txt, restore_files_.txt, 
how_recover+[random].txt, _how_recover_.txt, recovery_file_[random].txt, recover_file_[random].txt
recovery_file_[random].txt, Howto_Restore_FILES.TXT and help_recover_instructions+[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
Once we have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mitch04

mitch04
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 04 February 2016 - 03:00 AM

Yep I did receive the ransom and have paid in bit coin. It did complete the decrypition however some files are still decrypted....  I have attached some photos off what the ransom said.  example on one file it says CONTACT PHONE NUMBERS.xls.encrypted so when I click on it saying which program should I use. I have the Ransom note on all my folders saying to pay still..  

 

If anyone has any ideas to try to decrypt these files please tell me as this is a business I own.

 

Thank you 

 

here is what the txt file says 

 

 

 

 

WARNING

we have encrypted your files with Crypt0L0cker virus
Your important files (including those on the network disks, USB, etc): photos, videos, documents, etc. were encrypted with our Crypt0L0cker virus. The only way to get your files back is to pay us. Otherwise, your files will be lost. 

Caution: Removing of Crypt0L0cker will not restore access to your encrypted files.
Frequently Asked Questions
[-] What happened to my files?

Understanding the issue

Your important files: photos, videos, documents etc. were encrypted with our Crypt0L0cker virus. This virus uses very strong encryption algorithm - RSA-2048. Breaking of RSA-2048 encryption algorithm is impossible without special decryption key.
[-] How can I get my files back?

The only way to restore your files

Your files are now unusable and unreadable, you can verify it by trying to open them. The only way to restore them to a normal condition is to use our special software for decryption. You can buy this software on our website.
[-] What should I do next?

Buy decryption

You should visit our website and buy decryption for your PC.
[-] I can not access to your website, what should I do?

Accessing website using mirrors

Our website should be accessible from one of these links:
http://javajvlsworf3574.torfilter.ch/dp3o52.php?user_code=rd7r30&user_pass=7535
http://javajvlsworf3574.torconnection.ch/dp3o52.php?user_code=rd7r30&user_pass=7535
http://javajvlsworf3574.toragent.ch/dp3o52.php?user_code=rd7r30&user_pass=7535
http://javajvlsworf3574.onion.link/dp3o52.php?user_code=rd7r30&user_pass=7535
http://javajvlsworf3574.onion/dp3o52.php?user_code=rd7r30&user_pass=7535 (using TOR browser)

If for any reasons these addresses are not available, please follow the steps or read the manual

1. Download and install TOR-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: http://javajvlsworf3574.onion/dp3o52.php?user_code=rd7r30&user_pass=7535
4. Access to our website.

Also you can contact us via email: decrypthelp@mail333.com

 

 


Edited by mitch04, 04 February 2016 - 03:06 AM.


#4 SpringfieldCowboy

SpringfieldCowboy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 04 February 2016 - 07:31 AM

Hi I received this same problem today in Australia. It was a fake email from Aust Post and now most of my files are encrypted with CryptoLocker. Did you have any lock after paying the ranson of $1200. The files I needed where in a portable hard drive, which I lost about 60% before I pulled it out of the computer. My computer lost everything.
Let me know how you went/
regards
Kev

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 04 February 2016 - 07:32 AM

If .encrypted is the extension appended to your files...then you are dealing with with Crypt0L0cker (TorrentLocker).

A repository of all current knowledge regarding TorrentLocker is provided by Grinler (aka Lawrence Abrams), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

There are ongoing discussions in these topics where you can ask questions and seek further assistance.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 SpringfieldCowboy

SpringfieldCowboy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 04 February 2016 - 07:33 AM

PS: My files have been encrypted with the extension ".encrypted"

I notice a Nathan Scott from this site created a decryption tool

http://download.bleepingcomputer.com/Nathan/Coin_Locker_Decrypter.exe

but I cant get it to work. Any ideas anyone?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 04 February 2016 - 07:48 AM

Coin_Locker_Decrypter.exe was created for Coin Locker Ransomware not Crypt0L0cker (TorrentLocker)...that's why id doesn't work.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in the support topic discussions listed above. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users