Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All my pictures have been locked


  • This topic is locked This topic is locked
5 replies to this topic

#1 stolen_flower

stolen_flower

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 02 April 2016 - 05:03 AM

Hello, apparently, my computer has been infected by a virus. All my pictures have been locked. What should I do? I am more concerned not about the pictures but to get rid of this thing that is on my lap top. This is what i have:

 

_$$||=$
~*=-|*||-_~-$*
|*=_~
            !!! IMPORTANT INFORMATION !!!!
 
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
    
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
 
If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: 25z5g623wpqpdwis.onion/87A15E6A5380DE32
    4. Follow the instructions on the site.
 
!!! Your personal identification ID: 87A15E6A5380DE32 !!!
$=~-*_|$+=$
|*$||=*=+.+|
*-+=*-*_
.=_.+~.+=~=
 
Thank you in advance


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 AM

Posted 02 April 2016 - 05:19 AM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, .locked, .kimcilware, .crypto, _crypt, .crypt, .crypted, .crinf, .pzdc, .good, .R16M01D05, .cerber, .eclr, .sshxkej, .73i87A, .p5tkjw, PoAr2w, .surprise, .coverton, .krypted, .r5a, .XTBL, .YTBL, .LOL!, .OMG!, .RDM, .RRK, .RAD, .encedRSA, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, ._cryptcryptcrypt.@.gmail.com_, .id_<victim_id>_email_zeta@dr.com.scl, .0x0, .bleep, .1999, .fu*k (f**k), .vault, .HA3, .frtrss, .toxcrypt, .magic, .enc, .locky, _sq.<filename>, .k2p, .Sanction, .SPORT, .cwgoqia, .trun, .crysis, .xrtn, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters such as .uogltic, .rpyxhhm, .mtrsxox, .phszfud?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. They typically are found in every directory where data was encrypted. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples of ransom notes:
HELP_DECRYPT.TXT, DECRYPT_INSTRUCTION.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_YOUR_FILES.TXT
HELP_FILE_[random number/letter].HTML, install_tor.url, ATTENTION.RTF, !!!-WARNING-!!!.html
Read.txt, ReadMe.txt, README1.txt...README10.txt, READ_IF_YOU_WANT_YOUR_FILES.html, Read_it.txt
README_FOR_DECRYPT.txt, READ!!!!!!!!!!!.ME.txt, README!!.TXT, README_IMPORTANT.TXT, READ_IT.txt
IMPORTANT READ ME.txt, File Decrypt Help.html. ReadDecryptFilesHere.txt, _Locky_recover_instructions.txt
YOUR_FILES.HTML, YOUR_FILES.url, encryptor_raas_readme_liesmich.txt, Help_Decrypt.txt, CRIPTOSO.KEY,
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, ABOUT_FILES!.txt
DECRYPT_INSTRUCTIONS.TXT, How_To_Recover_Files.txt, How_To_Restore_Files.txt, Coin.Locker.txt
HOW_TO_DECRYPT_FILES.TXT, HOW TO DECRYPT FILES.TXT, RECOVERY_KEY.TXT, DECRYPT MY FILES#..txt
_secret_code.txt, DECRYPT_ReadMe.TXT, BLEEPEDFILES.TXT, AllFilesAreLocked_.bmp, WHAT IS SQ_.tx
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, IHAVEYOURSECRET.KEY
SECRET.KEY, SECRETIDHERE.KEY, HELP_DECYPRT_YOUR_FILES.HTML, README_DECRYPT_UMBRE_ID_[victim_id].txt
help_decrypt_your_files.html, RECOVERY_FILES.TXT, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.TXT, howto_recover_file_.txt, HELP_TO_SAVE_FILES.txt
how_recover+[random].txt, _how_recover_.txt, restore_files_.txt, recover_file_[random].txt
recover_files_[random].txt, recovery_file_[random].txt, help_recover_instructions+[3-random].txt
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, help recover files.txt, Recovery+[5-random].txt
_ReCoVeRy_+[5-random].txt, _recovery_+cryptolocker, Recovery_[5-random].txt, RECOVERY.TXT 
RECOVER+[random].TXT, RECOVER[5-random].TXT, _rEcOvEr_[5-random].txt, +REcovER+[5-random]+.txt
+-HELP-RECOVER-+[5-random]-+.txt, RECOVER[random].TXT, HELP_DECRYPT_YOUR_FILES.TXT, DECRYPT.TXT
README_HOW_TO_UNLOCK.txt, encryped_list.txt, DECRYPTION_HOWTO.Notepad, Encrypted_Files.Notepad
_DECRYPT_INFO_[random].html, WHATHAPPENDTOYOURFILES.TXT, DecryptAllFiles_.txt, DecryptAllFiles.txt
README_FOR_UNLOCK.txt, HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT, YOUR_FILES_ARE_LOCKED.txt

Note: The [random] represents random characters which some ransom notes names may include.
You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:07:15 PM

Posted 02 April 2016 - 08:29 AM

I have submitted some screen captures of the ransomware [note, files created etc] to channel 3.

Looks like the extension is not altered, just the file contents. [Opening any file throws unable to open error]

 

The file name for note is very similar to +REcovER+[5-random]+.txt


Edited by Nikhil_CV, 02 April 2016 - 09:01 AM.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:45 AM

Posted 02 April 2016 - 02:07 PM

I have submitted some screen captures of the ransomware [note, files created etc] to channel 3.

Looks like the extension is not altered, just the file contents. [Opening any file throws unable to open error]

 

The file name for note is very similar to +REcovER+[5-random]+.txt

 

Thanks for the submissions to the channel. I have confirmed this is a TeslaCrypt 4.0 case I'm afraid. The ransom notes match, as does the encrypted form of that recovery file you uploaded.

 

ID Ransomware will detect it as well if you upload a sample encrypted file, it can match the hex pattern of it even if the extension has not been changed.

 

I'm afraid there is no way to recover data without backups, or paying the ransom. You can try using recovery software such as ShadowExplorer, Recuva, and PhotoRec, but there are no guarantees. They are always worth a shot, you might get lucky with a handful of files.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 AM

Posted 02 April 2016 - 06:27 PM

Since the infection has been confirmed by Demonslay335 as TeslaCrypt 4.0...rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:45 AM

Posted 03 April 2016 - 09:41 AM

This is actually Locky based on the TOR sites. Hard to tell them apart these days as they are using similar ransom notes. Please use this support topic instead:

 

Locky Ransomware Support and Help Topic - _Locky_recover_instructions.txt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users