Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC files just got encrypted ID Ransomware won't id them, help appreciated


  • Please log in to reply
11 replies to this topic

#1 paul-2011

paul-2011

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 28 April 2017 - 04:13 PM

All of a sudden images, text files, documents, etc contain garbage inside, can't seem to find the ransom note anywhere,

tried to ID the encrypted files on ID Ransomware but no luck with that.

 

I've attached a few sample files, if anyone can help it would be great.

Thanks a lot

 

http://wikisend.com/download/805596/SAMPLE.txt

 

http://wikisend.com/download/412692/capa.jpg

 

dqmbgo.png

 

2elrw48.png


Edited by paul-2011, 28 April 2017 - 04:25 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 28 April 2017 - 05:58 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (https://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 paul-2011

paul-2011
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 28 April 2017 - 06:09 PM

Just submitted, thank you.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 28 April 2017 - 06:13 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 paul-2011

paul-2011
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 29 April 2017 - 10:11 AM

Since the FireEye took down the website is there any other tool out there

that can decrypt CryptoLocker? Talos has many tools but none work with

CryptoLocker.

 

Thanks



#6 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:16 AM

Posted 29 April 2017 - 11:41 AM

The original Cryptolocker is dead and gone. If you still have files encrypted by that ransomware, you might try contacting FireEye.

 

There are imitatitons such as Crypt0l0cker (note the 0's). Crypt0l0cker is decryptable by Dr. Web for a price.

 

You shouldn't open multiple topics - you already have one open to which Quietman responded. Stick with that topic.


We are drowning in information - and starving for wisdom.


#7 paul-2011

paul-2011
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 29 April 2017 - 11:45 AM

The original Cryptolocker is dead and gone. If you still have files encrypted by that ransomware, you might try contacting FireEye.

 

There are imitatitons such as Crypt0l0cker (note the 0's). Crypt0l0cker is decryptable by Dr. Web for a price.

 

You shouldn't open multiple topics - you already have one open to which Quietman responded. Stick with that topic.

 

Thanks, sorry about that. Thought it would help other people to find it since the other topic doesn't mention CryptoLocker in the title, even though it doesn't matter for Google....



#8 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:16 AM

Posted 29 April 2017 - 11:52 AM

From ID Ransomware:

 

Please reference this case SHA1: 019a562f284cb578e7a2a6a78d6fa41033d0da08


We are drowning in information - and starving for wisdom.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 29 April 2017 - 04:22 PM

A repository of all current knowledge regarding Crypt0L0cker (TorrentLocker) is provided by Grinler (aka Lawrence Abrams), in the: TorrentLocker & Crypt0L0cker Ransomware Information Guide and FAQ

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 paul-2011

paul-2011
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 02 May 2017 - 10:18 AM

It turned out to be an updated version of PClock2, confirmed by DrWeb experts.

It's pretty much a game over, at least for now.

Thanks for the support.



#11 paul-2011

paul-2011
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 02 May 2017 - 10:20 AM

From ID Ransomware:

 

Please reference this case SHA1: 019a562f284cb578e7a2a6a78d6fa41033d0da08

 

Submitted to DrWeb for analysis and they confirmed to be PClock2, the new variant, up until now there is no cure available.

Thanks for the help.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 02 May 2017 - 01:36 PM

Yes, unfortunately, newer PClock variants are not decryptable and there is no longer any way to provide decryption without paying the ransom. The Emsisoft Decrypter created for earlier PClock variants will not work...Fabian explains why in Post #987.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users