Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

TorrentLocker Support and Discussion Thread (CryptoLocker copycat)


  • Please log in to reply
419 replies to this topic

#31 oldsalt60

oldsalt60

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:59 PM

Posted 25 September 2014 - 06:09 PM

It's because new variants cannot be decrypted in this manner. You need to the private key from the attacks C&C. The reason you are seeing what appears to be an unencrypted copy is because the tool DecrypterFixer created drops the .encrypted off. However, the file is still encrypted.

And where do I find the private key from the C&C?



BC AdBot (Login to Remove)

 


#32 malwareanalyzr

malwareanalyzr

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 25 September 2014 - 07:09 PM

Lol, you don't unless you can get access to their server

#33 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:59 PM

Posted 25 September 2014 - 07:29 PM

we may have a method to get encrypted files back from any Torrentlocker variant now. Please email me at decryptorbit@outlook.com thanks.

and please discontinue any use of the old decrypter as it will not work with new variants. Only if you got infected about a month ago will it work. And don't force it even when the wrong key generates. That's why there is a test step, you will only mess up ur files and ruin any chance of decryption.


Have you performed a routine backup today?

#34 MM_AU

MM_AU

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne AU
  • Local time:01:59 PM

Posted 25 September 2014 - 10:46 PM

Hi Nathan,

 

Thanks for putting so much effort into this, it certainly is appreciated. I have sent you an email little earlier, and also submitted a sample as requested in the other thread. The files included in the zip are the TEMP files from the ProgramData directory as well as the original URL that infected the PC.

 

Looking forward to hear from you regarding the new decrypter.

 

Thanks again for your hard work and keep it up :)

 

M.



#35 Russell Cabourn

Russell Cabourn

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 26 September 2014 - 02:36 AM

Hi Nathan

 

I bekeive I have been infected with the early version of thos virus. do you think your fix can still work? if so I can send you an encripted file and and original (I still have a few)

 

Thank you Russell



#36 Dodley

Dodley

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Spain
  • Local time:05:59 AM

Posted 26 September 2014 - 03:43 PM

Hi Nathan,

i appear to have one of the new variants, it was first detected on 19/09/14 i have tried your decryptor yesterday with strange results, when i use a large 25mb jpeg ( a scanned image originally on another pc ) as the original file and an encrypted version from the infected pc it seems to generate the key ok and it will decrypt that file, when i check the file it opens ok, but it wont work on any other files, can you shed any light on this.
 
i have now just read that you may have a solution, i am holding my breath in anticipation,
 
i have various size encrypted files, some jpegs are over 100mb, if you need anything uploaded.
 

thanks in advance for all your hard work, i know a lot of people would be lost without it.

 

Paul



#37 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:59 PM

Posted 27 September 2014 - 01:42 PM

If you have been infected with TorrentLocker in the last 24-48 hours, Please PM me ASAP. 

 

Thank you.


Have you performed a routine backup today?

#38 Crohnos01

Crohnos01

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 30 September 2014 - 02:13 PM

Thank you all for the information on this thread. Will the CryptoPrevent software identified under the CryptoWall virus discussion also by chance block this variant?

 

Thanks



#39 Ivy74

Ivy74

  •  Avatar image
  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind a keyboard
  • Local time:11:59 PM

Posted 30 September 2014 - 03:17 PM

If you have been infected with TorrentLocker in the last 24-48 hours, Please PM me ASAP. 

 

Thank you.

I sent you a PM 

 

I am interested. We get these here and there. We been avoiding it by using a GPO fix which basically prevents the writing to APPDATA which to our understand is one of the things that the virus does. Get back to me when you can.



#40 Pradman

Pradman

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 30 September 2014 - 11:15 PM

If you have been infected with TorrentLocker in the last 24-48 hours, Please PM me ASAP. 

 

Thank you.

 

Hi Nathan sample encrypted files sent via bleeping computers site and to your PM and email.

 

 

Thanks



#41 MM_AU

MM_AU

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne AU
  • Local time:01:59 PM

Posted 01 October 2014 - 03:37 AM

Aaaaargh,

 

One of my users just managed to get the new version and encrypt 1/2 of my network drives - grrrr. I will post the files and the new URLs tomorrow once I finish with the backup restores.

 

M.



#42 littleroot

littleroot

  •  Avatar image
  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 01 October 2014 - 11:34 AM

Hi, I came here because I read the note about the Gameover on June so I assumed my latest hit is Torrentlocker,

 

Q. Does torrentlocker also leave behind in every directory the files "DECRYPT_INSTRUCTION.TXT, etc?

 

My story:  We had the Cryptolocker earlier this year destroy some files on a server and we then took some steps to prevent further hits with GPO the PC but we had a hit again yesterday. We were lucky our backups were good. Unfortunately the PC was not in my control as it was at a remote office and has since been overwritten and the admin has deleted the encrypted files so I don't have any more info to help. I only know it left behind the same files as noted above.

 

One thing I would like to find is a solution which looks at the header files and if it sees any with encryption it sends us an alert, or turns off file sharing, or does something helpful!

 

Please let me know if you have any ideas for me.

 

Thank you!



#43 Monsta_AU

Monsta_AU

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 01 October 2014 - 08:02 PM

Email & PM sent to Nathan.



#44 flipfluitketel

flipfluitketel

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 02 October 2014 - 05:36 AM

"Luckily" I'm not the only one fighting with this piece of ****. Hopefully a decryption-method will be found soon because paying those idiots isn't my first choice.



#45 FlashAU

FlashAU

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:59 PM

Posted 02 October 2014 - 09:12 PM

PM sent. I have a client with thousands of encrypted files on his NAS box - it's gonna be a long day...






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users