Posted 23 September 2014 - 10:15 AM
I did read that.
And tried in the hope that it was an old version still going. But it's not.
Huge thanks for creating the decrypter and cracking the original. If only the glory hunters could have keep quiet, I wouldn't still have a problem with the NAS which doesn't appear to have shadow copies on it.
DecrypterFixer
Posted 23 September 2014 - 10:32 AM
Always a pleasure to try and help. And great name, Glory Hunters. I like that 
. Im sorry to hear about ur NAS, if it makes you feel any better im still looking for any bugs this thing may have.
Posted 23 September 2014 - 10:43 AM
That's all they are. It appears you did all the work and found the "backdoor" to decrypting it.
Then others jumped on it and shouted about how clever they were in finding the faults with it just so they could bask in the glory and everyone would know what hero's they were.
If you could find a way to track down the owner of the bitcoin account. That would help me greatly 
I may never get my files back but knowing that the scum that created and sent this virus out into the world would be drinking through a straw would most definitely take the edge off...
I'm just working out the best way to make sure we have backups that are secure now.
We won't be able to stop these things getting in again but if we can limit the damage they do to only losing a days work then that would be enough.
Am I right in thinking that if we had encrypted backup files, it couldn't encrypt them further?
DecrypterFixer
Posted 23 September 2014 - 10:47 AM
You are correct, and sadly this isnt the first time they have done this. And it wont be the last.
There is one method i have been trying, but im lacking unique files. Its a long shot, but if you would like to help me test it, you could send your Ransom Note and a couple of encrypted files to Decryptorbit@outlook.com
Sadly Bitcoins is as anon as it gets. But this guy will slip up one day, they always do.
And if you had encrypted files, it would just encrypt right over the encryption sadly.
Posted 23 September 2014 - 10:54 AM
I have JUST run emsisoft full scan on the original infected machine to try and get rid of it before going through and reinstating all the files but it hasn't finished running yet.
If you tell me exactly what you want I can send them over.
Or I can give you teamviewer access and you can get them yourself before I press the final delete button on emsisoft?
Send me a PM if you want to log on through teamviewer. I'm here for another 15 minutes.
Posted 23 September 2014 - 05:17 PM
(moved)
Edited by j_oyay, 23 September 2014 - 05:38 PM.
Posted 24 September 2014 - 06:18 AM
Aaaaand I've got everything back.
Persistance and talking to the right people got me sorted and saved £627 too. Not only did it save us that money but it denied the thieving scum that wrote this virus that money too.
And I couldn't have done it without the help of this forum.
Just hope I never have to deal with it again.
Posted 24 September 2014 - 07:04 AM
Posted 24 September 2014 - 07:51 AM
If it is the new variant, you will not be able to de-crypt your files regardless of the reformat. Sorry
Posted 24 September 2014 - 08:05 AM
then you had the very first version, which is no longer used or you were lucky enough to not have the command go through, which can happen sometimes
If the user account running the malware doesn't have Administrator privileges the vssadmin delete command will fail.
• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!
Proud graduate of GeekU and member of UNITE
___
Rui
Posted 24 September 2014 - 09:01 AM
J K did emsisoft fix the problem?
It removed the virus but didn't fix the encrypred files.
Posted 25 September 2014 - 01:07 AM
Wanted to contribute some info.
Had a client call me with this on Wednesday morning. I used my Acronis Rescue Media to create a disk backup onto an empty external drive then ran ESET SysRescue from a CD which found 1780 infections. Cleaning wasn't an option so I deleted them. Booting into Windows I had to re-enable a number of services which had been changed to disabled (Security Services and Windows Update to name 2). Microsoft Security Essentials was manhandled by the virus, it called the infection Crowti.A and Crowti.B in the detected items list and had them as "Quarantined". I have uninstalled and reinstalled MSE from a new download.
All of the docs, pics and such are corrupted. Fair to say as of right now, no chance of recovery?
I will hang onto the Acronis image for now, hopefully someone can develop a method of decrypting. If I can be of assistance, please let me know.
I have been using MSE pretty much since it was 1st introduced back in the day (on my systems and also recommending it for clients). Are there AV programs that were able to get in front of this? I am concerned that MSE was caught with it's pants down.
Hopefully I don't start getting a flood of calls ...
Posted 25 September 2014 - 06:01 PM
Hi DecrypterFixer,
I have downloaded the decrypter and it appeared to work as I can see both the encrypted files and the unencrypted files.
However none of the unencrypted files will open with the error message on PDF's of "Adobe Reader could not open the file because it is either not a supported file type or because the file has been damaged".
With Excel files I get "Excel cannot open the file because the file format or file extension in not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file"
Any ideas on this twist??
Posted 25 September 2014 - 06:06 PM
0 members, 1 guests, 0 anonymous users
Back to top
