Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

If I buy bitcoin on a different machine can I then use it to pay locky ransom?


  • Please log in to reply
28 replies to this topic

#1 chrisarnt

chrisarnt

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 01:54 PM

If I buy bitcoin on a different machine can I then use it to pay locky ransom?

 

I imagine this is safer than using the infected machine. 

 

Has anyone paid them and had it work?

 

Lemme know. 

 



BC AdBot (Login to Remove)

 


#2 TheTripleDeuce

TheTripleDeuce

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada EH!
  • Local time:05:12 PM

Posted 28 June 2016 - 02:08 PM

yes it is possible a bitcoin is basically a string of characters (as far as I know)



#3 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 02:11 PM

Ugh!!!!!!!!!

They want 2 BTC.  Thats $1300. 

I was willing to gamble on the 0.5 Bitcoin I read about in some articles, but not $1300. 

 

So, now I need to make sure it's all gone and then try and see if I can recover a shadow copy. 

 

What should I run? Combofix? 



#4 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:01:12 PM

Posted 28 June 2016 - 02:11 PM

Don't pay the ransom you have an infection.

 

 

Run these:
ADWCleaner:  http://www.bleepingcomputer.com/download/adwcleaner/
Rkill:
JRT: https://www.malwarebytes.com/junkwareremovaltool/
AutoRuns: http://filehippo.com/download_autoruns/ <--Delete everything that says "file not found"
Install This:

If You Can download:

MBAR: MAlwarebytes Anti-Rootkit (https://www.malwarebytes.com/antirootkit/)

OR

TDSSKiller (http://usa.kaspersky.com/downloads/TDSSKiller)


Edited by Viper_Security, 28 June 2016 - 02:13 PM.

    IT Auditor & Security Professional

hQBT2G3.png


#5 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:12 PM

Posted 28 June 2016 - 02:28 PM

Ugh!!!!!!!!!

They want 2 BTC.  Thats $1300. 

I was willing to gamble on the 0.5 Bitcoin I read about in some articles, but not $1300. 

 

So, now I need to make sure it's all gone and then try and see if I can recover a shadow copy. 

 

What should I run? Combofix? 

Usually, ransomware deletes itself after completing encryption. However, some friends may have tagged along. I would use Emsisoft and / or Malwarebytes to clear up remnants. You might also use Eset online scannner. Othe possibilities were given by the previous poster. The encrypted files won't be deleted - they aren't infected, just encrypted. Don't run Combofix. It can be dangerous - should only be run at the request of an expert in the forums.


We are drowning in information - and starving for wisdom.


#6 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 02:28 PM

I won't pay it. 

But all the files on my dad's computer are encrypted.  The they all have random names and the extension .locky

I would like to get them unencrypted. 

 

I want to see if there is a shadow copy somewhere that didn't get deleted, but I don't want to go looking for it while still infected. 

 

If I run that stuff will it delete all my renamed files?



#7 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 02:30 PM

 

Ugh!!!!!!!!!

They want 2 BTC.  Thats $1300. 

I was willing to gamble on the 0.5 Bitcoin I read about in some articles, but not $1300. 

 

So, now I need to make sure it's all gone and then try and see if I can recover a shadow copy. 

 

What should I run? Combofix? 

Usually, ransomware deletes itself after completing encryption. However, some friends may have tagged along. I would use Emsisoft and / or Malwarebytes to clear up remnants. You might also use Eset online scannner. Othe possibilities were given by the previous poster. The encrypted files won't be deleted - they aren't infected, just encrypted. Don't run Combofix. It can be dangerous - should only be run at the request of an expert in the forums.

 

Eset online scanner takes hours!!! I just downloaded all that stuff to my thunmbdrive and will reboot his computer in safe mode to run. 

 

What about this?  

Emsisoft Decrypter for AutoLocky

 

Will that do anything to mine?

 



#8 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:12 PM

Posted 28 June 2016 - 02:33 PM

Don't go running programs at random! AutoLocky is NOT the same as Locky. If you ran that decrypter, on Locky files, it might corrupt them or just skip over them. 


We are drowning in information - and starving for wisdom.


#9 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:01:12 PM

Posted 28 June 2016 - 02:35 PM

I won't pay it. 

But all the files on my dad's computer are encrypted.  The they all have random names and the extension .locky

I would like to get them unencrypted. 

 

I want to see if there is a shadow copy somewhere that didn't get deleted, but I don't want to go looking for it while still infected. 

 

If I run that stuff will it delete all my renamed files?

I'm goign to be honest, running those will remove any infections you have, but im not certain it will not delete the renamed files.

 

/this might help though

 

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer-1.png
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

 

Or a file recovery program.


Don't go running programs at random! AutoLocky is NOT the same as Locky. If you ran that decrypter, on Locky files, it might corrupt them or just skip over them. 

that was my next question.

 

 

What is the Extension it's using?


    IT Auditor & Security Professional

hQBT2G3.png


#10 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:12 PM

Posted 28 June 2016 - 02:42 PM

Good point, since both Locky and Autolocky use the .locky extension. Maybe, he should check this at ID-Ransomware?  

 

Anyway, I'll let you handle this the rest of the way.


We are drowning in information - and starving for wisdom.


#11 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:01:12 PM

Posted 28 June 2016 - 02:46 PM

Good point, since both Locky and Autolocky use the .locky extension. Maybe, he should check this at ID-Ransomware?  

 

Anyway, I'll let you handle this the rest of the way.

 more help the better haha, and ill be working my my security team to create a tool that removes ransomware and attempts to decrypt it.

 

Could take some time to compile it.  im getting frustrated with this ransomware crap. as im sure others are.


    IT Auditor & Security Professional

hQBT2G3.png


#12 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 02:47 PM

OK.  That's what I'm looking for. Shadow copy finder. 

 

But what should I run to be certain I don't corrupt any hidden shadow copies?

 

Which of the programs you said?



#13 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:01:12 PM

Posted 28 June 2016 - 02:51 PM

OK.  That's what I'm looking for. Shadow copy finder. 

 

But what should I run to be certain I don't corrupt any hidden shadow copies?

 

Which of the programs you said?

For that, i would suggest Rkill, (it kills suspicious/malicious process that are running so you can use your anti-infection software


    IT Auditor & Security Professional

hQBT2G3.png


#14 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 28 June 2016 - 03:00 PM

Ok. 

 

 

Good point, since both Locky and Autolocky use the .locky extension. Maybe, he should check this at ID-Ransomware?  

 

Anyway, I'll let you handle this the rest of the way.

 more help the better haha, and ill be working my my security team to create a tool that removes ransomware and attempts to decrypt it.

 

Could take some time to compile it.  im getting frustrated with this ransomware crap. as im sure others are.

 

I've contributed to bleeping computer before  and I'll contribute a 1/2 a bit coin if you can make a decryption that works on my files. 

Ok. I was able to download tdsskiller and ran it.  The victim computer is in safemode with networking. 

 

What now? Should I run something else? 



#15 Viper_Security

Viper_Security

  • Members
  • 821 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:01:12 PM

Posted 28 June 2016 - 03:02 PM

Ok. 

 

 

Good point, since both Locky and Autolocky use the .locky extension. Maybe, he should check this at ID-Ransomware?  

 

Anyway, I'll let you handle this the rest of the way.

 more help the better haha, and ill be working my my security team to create a tool that removes ransomware and attempts to decrypt it.

 

Could take some time to compile it.  im getting frustrated with this ransomware crap. as im sure others are.

 

I've contributed to bleeping computer before  and I'll contribute a 1/2 a bit coin if you can make a decryption that works on my files. 

Ok. I was able to download tdsskiller and ran it.  The victim computer is in safemode with networking. 

 

What now? Should I run something else? 

I will work with the malware experts here at bleeping, i of course need their permission first. Though TDSSKiller and MBAR are both anti root kits, also run MBAR.


    IT Auditor & Security Professional

hQBT2G3.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users