Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

TorrentLocker Support and Discussion Thread (CryptoLocker copycat)


  • Please log in to reply
419 replies to this topic

#16 J_K

J_K

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 23 September 2014 - 10:15 AM

I did read that.
And tried in the hope that it was an old version still going. But it's not.
Huge thanks for creating the decrypter and cracking the original. If only the glory hunters could have keep quiet, I wouldn't still have a problem with the NAS which doesn't appear to have shadow copies on it.



BC AdBot (Login to Remove)

 


#17 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:59 PM

Posted 23 September 2014 - 10:32 AM

Always a pleasure to try and help. And great name, Glory Hunters. I like that :P . Im sorry to hear about ur NAS, if it makes you feel any better im still looking for any bugs this thing may have.


Have you performed a routine backup today?

#18 J_K

J_K

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 23 September 2014 - 10:43 AM

That's all they are. It appears you did all the work and found the "backdoor" to decrypting it. 
Then others jumped on it and shouted about how clever they were in finding the faults with it just so they could bask in the glory and everyone would know what hero's they were.

If you could find a way to track down the owner of the bitcoin account. That would help me greatly :) I may never get my files back but knowing that the scum that created and sent this virus out into the world would be drinking through a straw would most definitely take the edge off...
 

I'm just working out the best way to make sure we have backups that are secure now.
We won't be able to stop these things getting in again but if we can limit the damage they do to only losing a days work then that would be enough.

Am I right in thinking that if we had encrypted backup files, it couldn't encrypt them further?



#19 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:59 PM

Posted 23 September 2014 - 10:47 AM

You are correct, and sadly this isnt the first time they have done this. And it wont be the last.

 

There is one method i have been trying, but im lacking unique files. Its a long shot, but if you would like to help me test it, you could send your Ransom Note and a couple of encrypted files to Decryptorbit@outlook.com

 

Sadly Bitcoins is as anon as it gets. But this guy will slip up one day, they always do.

 

And if you had encrypted files, it would just encrypt right over the encryption sadly. 


Have you performed a routine backup today?

#20 J_K

J_K

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 23 September 2014 - 10:54 AM

I have JUST run emsisoft full scan on the original infected machine to try and get rid of it before going through and reinstating all the files but it hasn't finished running yet.
If you tell me exactly what you want I can send them over.
Or I can give you teamviewer access and you can get them yourself before I press the final delete button on emsisoft?

 

Send me a PM if you want to log on through teamviewer. I'm here for another 15 minutes.



#21 j_oyay

j_oyay

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 23 September 2014 - 05:17 PM

(moved)


Edited by j_oyay, 23 September 2014 - 05:38 PM.


#22 J_K

J_K

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 24 September 2014 - 06:18 AM

Aaaaand I've got everything back.
Persistance and talking to the right people got me sorted and saved £627 too. Not only did it save us that money but it denied the thieving scum that wrote this virus that money too.

 

And I couldn't have done it without the help of this forum.

 

Just hope I never have to deal with it again.



#23 dr537585

dr537585

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 24 September 2014 - 06:37 AM

J K did emsisoft fix the problem?



#24 barbersfort

barbersfort

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 24 September 2014 - 07:04 AM

A customers  PC was infected with this and we just formatted / reinstalled windows and intended to restore from mozy backups.
 
Alas not all the data we needed was being backed up.!!
 
We are now trying some recovery tools (data ease, recovermyfiles) to recover the data and pay the ransom if we have to.
 
But does anyone know if even the deencryption process   will work as we have reformmated / reinstated windows)?
 
thanks for your help


#25 malwareanalyzr

malwareanalyzr

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 24 September 2014 - 07:51 AM

If it is the new variant, you will not be able to de-crypt your files regardless of the reformat. Sorry



#26 SleepyDude

SleepyDude

  •  Avatar image
  • Malware Response Team
  • 4,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:04:59 AM

Posted 24 September 2014 - 08:05 AM

then you had the very first version, which is no longer used or you were lucky enough to not have the command go through, which can happen sometimes

 

If the user account running the malware doesn't have Administrator privileges the vssadmin delete command will fail.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#27 J_K

J_K

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 24 September 2014 - 09:01 AM

J K did emsisoft fix the problem?

It removed the virus but didn't fix the encrypred files.



#28 Destarah

Destarah

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 25 September 2014 - 01:07 AM

Wanted to contribute some info.

Had a client call me with this on Wednesday morning. I used my Acronis Rescue Media to create a disk backup onto an empty external drive then ran ESET SysRescue from a CD which found 1780 infections. Cleaning wasn't an option so I deleted them. Booting into Windows I had to re-enable a number of services which had been changed to disabled (Security Services and Windows Update to name 2). Microsoft Security Essentials was manhandled by the virus, it called the infection Crowti.A and Crowti.B in the detected items list and had them as "Quarantined". I have uninstalled and reinstalled MSE from a new download.

All of the docs, pics and such are corrupted. Fair to say as of right now, no chance of recovery?

I will hang onto the Acronis image for now, hopefully someone can develop a method of decrypting. If I can be of assistance, please let me know.

I have been using MSE pretty much since it was 1st introduced back in the day (on my systems and also recommending it for clients). Are there AV programs that were able to get in front of this? I am concerned that MSE was caught with it's pants down.

Hopefully I don't start getting a flood of calls ...



#29 oldsalt60

oldsalt60

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 25 September 2014 - 06:01 PM

Hi DecrypterFixer,

 

I have downloaded the decrypter and it appeared to work as I can see both the encrypted files and the unencrypted files.

 

However none of the unencrypted files will open with the error message on PDF's of "Adobe Reader could not open the file because it is either not a supported file type or because the file has been damaged".

 

With Excel files I get "Excel cannot open the file because the file format or file extension in not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file"

 

Any ideas on this twist??



#30 malwareanalyzr

malwareanalyzr

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 25 September 2014 - 06:06 PM

It's because new variants cannot be decrypted in this manner. You need to the private key from the attacks C&C. The reason you are seeing what appears to be an unencrypted copy is because the tool DecrypterFixer created drops the .encrypted off. However, the file is still encrypted.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users