Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advice, please - probable ransomware infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 dwywit

dwywit

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 20 April 2016 - 09:01 PM

So - a new customer calls with generic-sounding problems - "the icons on my screen have changed". I get there and ask a few questions, start the computer (HP laptop with a "Windows 7" sticker), and up comes Win 10. I start to suspect the Win 10 upgrade - only a few days old, according to the customer - has not gone smoothly.

 

JPG, PDF, XLSX files on the desktop all have the Adobe reader icon, so I suspected that it's a file association problem, except when I go to the items' properties, they all have ".ENCRYPTED" as an extra file extension. I quickly asked the customer if the machine had file encryption before the Win 10 upgrade, he said "No", AND THEN HE TELLS ME "it asked for some money when I tried to open one of my files", so I quickly shut the machine down.

 

A few more questions later and it becomes apparent that there's some sort of infection there - he said he opened an email purportedly from Australia Post, printed it out, took it to the post office, and they told him it was probably a virus. That was when he called me.

 

So now I have the powered-off laptop, and I'm in a position to extract the hard drive and mount it in an external cradle on my machine to do some investigating.

 

As I don't have the information requested in the guide about how to post a new ransomware topic, could I please have some advice on how to proceed.

 

1. there are no backups

2. customer adamantly refuses to pay ransom, also can't remember what the ransom demand looked like.

3. only one folder of files needs to be rescued, everything else is optional

4. customer is otherwise happy to format and re-install windows

 

cheers

 

Bernie Dwyer



BC AdBot (Login to Remove)

 


#2 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:12:32 AM

Posted 20 April 2016 - 09:17 PM

check out these threads for more information on the .encrypted related ransomware and its removal

http://www.bleepingcomputer.com/forums/t/574686/torrentlocker-changes-its-name-to-crypt0l0cker-and-bypasses-us-computers/

 

http://www.bleepingcomputer.com/virus-removal/torrentlocker-cryptolocker-ransomware-information


Edited by TheTripleDeuce, 20 April 2016 - 09:21 PM.


#3 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 20 April 2016 - 09:25 PM

Thanks - I had a look and that's not it - according to the customer. I showed him (on another computer) the ransomware samples from BleepingComputer, and he said he didn't recognise any of them. Come to think of it, he was pretty evasive with details - couldn't remember what the ransom demand looked like ("it was just one line"), and couldn't remember what file he was trying to open.

 

Is it safe to examine this hard drive using another computer? i.e. plugged in to an external cradle so it just appears as a data drive? Thanks



#4 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:12:32 AM

Posted 20 April 2016 - 09:30 PM

id personally only recommend doing so on a "sandbox" or "test box" as the infection could possibly spread to other connected drives, just make sure whatever is on the PC you plan to connect it to has nothing your worried about losing incase it does infect the PC your using to examine the drive



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:32 PM

Posted 20 April 2016 - 10:21 PM

This infection would be dormant if hooked up to another machine. It can only infect you if you run an executable from that drive.

The biggest indicator will be the ransom note and it's filename. If it is Crypt0L0cker, it will say so in the first lines of the note text. If you locate a ransom note, you can upload it to the service in my signature to identify the ransomware it is from.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 20 April 2016 - 10:25 PM

OK will do, thanks. Presumably I should start in the user's Desktop and "My Documents" directory? Is it likely to drop the ransom note anywhere else?



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:32 PM

Posted 21 April 2016 - 12:02 AM

Yes, those are most common. Most ransomware will drop it in every affected folder too.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:32 PM

Posted 21 April 2016 - 03:48 PM

Post back here what you find...once the infection is identified/confirmed, we can direct you to the appropriate discussion topic for further assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 dwywit

dwywit
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 21 April 2016 - 09:11 PM

OK - plugged it in to an external cradle and had a look - it's Crypt0L0cker.

 

It seems to have only propagated through the desktop and desktop sub-folders, and NOT through desktop shortcuts, to "My Documents", "My Pictures", or anything else. It's dropped a file called "HOW_TO_RESTORE_FILES.html" in every infected folder. 

 

The structure in the user's profile directory is a little unusual - he's put a shortcut to the user name on the desktop - but it's a shortcut to the top level of the user profile, and not to "My Documents" or "My Pictures, so all the subdirectories of user files are actually sitting in the root of the user profile together with the usual "appdata" etc, and not underneath "My Documents" or the usual Win 7 user profile structure - although there are a ton of files and sub-folders under "My Documents" and "My Pictures", also.

 

So, it's a mess, but a mostly un-encrypted mess. He's happy to format and re-install (the HP recovery partition is intact), so all I've got to do is copy all his user files to another disk, and kick off the HP recovery process.

 

Before I do that, a couple of questions:

 

1. Is there anyone at BleepingComputer who wants to see any examples of this code? It's probably come via an email - fake Australia Post delivery notification that's probably sitting in his outlook.pst file - I don't know where on the computer it's been dropped.

2. What's a reliable scrubber program I can use to clean the user files? I resonally like Malwarebytes, but I'll take whatever you recommend. I have a suspicion that this code is unusual, perhaps a new variant or an amateur's version, because of the fact it didn't manage to propagate beyond the desktop - so I need to be sure that a scrubber will be able to locate this and make sure it's gone, gone, gone.

 

Thanks.

 

P.S. could someone PM me about a donation? There's a minor issue I'd like to discuss, thanks.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:32 PM

Posted 22 April 2016 - 07:31 AM

Any files that are encrypted with Crypt0L0cker (TorrentLocker) will have the .encrypted extension appended to the end of the affected filename. Crypt0L0cker will leave files (ransom notes) with names like DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML, INSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt, How_To_Restore_Files.txt and HOW_TO_RESTORE_FILES.HTML.

A repository of all current knowledge regarding Crypt0L0cker (TorrentLocker) is provided by Grinler (aka Lawrence Abrams), in this topic: TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

Unfortunately, decryption of Crypt0L0cker (TorrentLocker)...is not possible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. The only methods you have of restoring your files is from backup, file recovery software, or from Shadow Volume Copies as explained in the FAQ: How to restore files encrypted by TorrentLocker...but there is no guarantee that will work.

However, you may want to read this BC News article: Dr.Web quietly decrypting TorrentLocker for paid customers or distributors.
Updated policy from Dr.Web (11/25/15): Free file decryption assistance only for PCs protected by Dr.Web at the moment of infectionThere are ongoing discussions in these topics where you can ask questions and seek further assistance.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff

PS...I will send you a PM.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users