Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with cryptolocker files changed to .encrypted


  • This topic is locked This topic is locked
5 replies to this topic

#1 Lewis80

Lewis80

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 May 2016 - 09:04 PM

Hi, I have a friends computer we need help with.
All personal files have been encrypted and websites attached with instructions to pay (however none of them work)
Is it possible to decrypt them or are they gone for good?
Really need some help please
Tia

BC AdBot (Login to Remove)

 


#2 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:02:34 PM

Posted 21 May 2016 - 09:17 PM

For the latest information on the CryptoLocker, please see this guide/FAQ: CryptoLocker Ransomware Information and FAQ

Is it possible to decrypt files encrypted by CryptoLocker?

Updated 8/6/14:

FireEye and Fox-IT have released a method of possibly retrieving your private decryption key and a decrypter to use to decrypt your files. These keys were made available through Operation Tovar and were not retrieved by cracking the encryption. To try and retrieve your key, please visit their site http://www.decryptcryptolocker.com/ and enter your email and upload a copy of one of your CryptoLocker encrypted files. The service will then try attempt to decrypt that file using all of the known encryption keys. If they are able to successfully decrypt your file, they will then email you the decryption key with instructions on how to use it.

In order to use the decryption you need to paste the entire decryption key they send you, quotes and all, after the --key argument of the Decryptolocker.exe program. An example of how you would decrypt all of the folders and files under a particular folder can be found in this post. As the instructions and how to use the tool are not particularly user-friendly, if you need any help, please see feel free to ask in the CryptoLocker Support Topic. It should also be noted that you can use a different script, that it appears the FireEye/Fox-IT one was based off of, as well. Instructions on using the alternative decrypter can be found here.

If your key is not available using the above methods, the only methods you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. More information about how to restore your files via Shadow Volume Copies can be found in this section below.

 


Edited by TheTripleDeuce, 21 May 2016 - 09:22 PM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:34 PM

Posted 21 May 2016 - 09:22 PM

Your files were most likely hit by Crypt0L0cker, a fake variant of the original. You can confirm by the name of the ransom note, which they have translated to over 10 different languages to my knowledge. You can upload a ransom note and encrypted file to the service in my signature for confirmation.

 

Afraid there is no solution for Crypt0L0cker. You can find more information in the appropriate support topic.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Lewis80

Lewis80
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 May 2016 - 09:58 PM

Yes the notes say Crypt0L0cker. Thanks for the help, I'll start going through your suggestions now.

#5 Lewis80

Lewis80
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 May 2016 - 10:19 PM

i've tried visiting  http://www.decryptcryptolocker.com/

however it says 

 

This site can’t be reached

www.decryptcryptolocker.com’s server DNS address could not be found.

 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:34 PM

Posted 22 May 2016 - 07:12 AM

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the Crypt0L0cker Ransomware Support & Discussion topic noted by Demonslay335...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users