Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ID Ransomware said “Crypt0l0cker”


  • This topic is locked This topic is locked
6 replies to this topic

#1 gandlz

gandlz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 02 December 2016 - 01:48 PM

Hello,

 

I had a PC today with the same problem. As I remember: (will take a closer look next week)

ID Ransomware said “Crypt0l0cker”

MSE identified it as “Ransom:Win32/Teerac.Q”

Also 6-character random extension behind regular extension

Txt and html note in every folder (will provide as soon as possible)

 

One general question: on the affected PC windows UAC was enabled at standard settings. Did the user have had to allow this?

 

Thanks,

Gandlz



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 02 December 2016 - 01:51 PM

ID Ransomware said “Crypt0l0cker”

Any files that are encrypted with Crypt0L0cker (TorrentLocker) will have the .encrypted extension appended to the end of the encrypted data filename and leave files (ransom notes) named DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.HTML, INSTRUCCIONES_DESCIFRADO.HTML, How_To_Recover_Files.txt, How_To_Restore_Files.txt and HOW_TO_RESTORE_FILES.HTML. The newest variant of Crypt0L0cker (TorrentLocker) will have the .enc extension appended to the end of the encrypted data filename as explained here.

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions..

...Also 6-character random extension behind regular extension...

This may not be Crypt0L0cker...ID Ransomware cannot properly identify the ransomware without a ransom note since there are several different ransomware infections which utilize a random 4, 5, 6, 7 character extension. The best way to identify the different ransomwares that use "random character extensions" is the ransom note or at least information related to the email address used by the cyber-criminals.

I suggest you try uploading both encrypted files and ransom notes together at ID Ransomware since that provides a more positive match.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 02 December 2016 - 01:55 PM

Edited comments above and split your posting into it's own topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 gandlz

gandlz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 02 December 2016 - 02:12 PM

I will provide that info asap.

Thanks



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 02 December 2016 - 02:15 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:09 AM

Posted 03 December 2016 - 11:03 AM

 

...Also 6-character random extension behind regular extension...

This may not be Crypt0L0cker...ID Ransomware cannot properly identify the ransomware without a ransom note since there are several different ransomware infections which utilize a random 4, 5, 6, 7 character extension. The best way to identify the different ransomwares that use "random character extensions" is the ransom note or at least information related to the email address used by the cyber-criminals.

I suggest you try uploading both encrypted files and ransom notes together at ID Ransomware since that provides a more positive match.

 

It is indeed crypt0l0cker. They use 6 character random extension now.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 03 December 2016 - 01:56 PM

Thanks. I wasn't aware of that additon...I will update my notes accordingly.

Since that is the case, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you (gandlz) posted any more questions, comments or requests for assistance in the above Crypt0L0cker support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users