Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3457 replies to this topic

#46 jonathan020

jonathan020

  •  Avatar image
  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 01:58 PM

Last update I had from Trend Micro was at 10am EST to confirm they have added the threat to pattern CPR 10.264.03.

 

They say they are working on a decrypt tool.



BC AdBot (Login to Remove)

 


#47 admiralnorman

admiralnorman
  • Topic Starter

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 02:03 PM

 

On a related note, since a lot of us are seeing that TrendMicro is a common thread in this, any recommendations on a different AV?  Personally I am going with MS Security Essentials until a final decision is made.

 

Kaspersky failed to detect this until after it had encrypted the files. But it did promptly shutdown the service and quarantined it.



#48 SYKES42

SYKES42

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 02:17 PM

we are considering paying it, does anyone know if there is a way to track this down thru the credit card we might use?  probably going to use a gift card with no ties to our account



#49 jonathan020

jonathan020

  •  Avatar image
  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 02:20 PM

I would advise against it but understand you gotta do what you gotta do.

 

Definately use a gift card. Try not to do it from your static IP as the attacker will no doubt keep a record of you as a "willing customer" for targeted attacks.


Edited by jonathan020, 09 September 2013 - 02:21 PM.


#50 admiralnorman

admiralnorman
  • Topic Starter

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 02:21 PM

we are considering paying it, does anyone know if there is a way to track this down thru the credit card we might use?  probably going to use a gift card with no ties to our account

 

Other users in this thread have mentioned success with getting access to their files back. Using a gift card or the likes of is a good idea.

 

Of course none of us recommend this. You never know what traces of the virus could be left after that. If there is any chance of restoring from a backup, you should exhaust that option first. If you should pay for it, put all of those files on an empty usb device, plug it into a non-networked workstation, and scan the be-jesus out of them. Even then, I don't think i could ever trust those files again.


Edited by admiralnorman, 09 September 2013 - 02:22 PM.


#51 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 September 2013 - 03:03 PM

I actually chuckled when getting ready to reply to this..  We IT Admins are SO anti-giving-in and paying the ransom it is apparent that a majority of you have not even clicked the button to go to the next page in the malware popup to submit payment...

 

They do not accept credit cards.  For US victims they demand you use a Green Dot MoneyPak card.  I had to go to a local drugstore (Walgreens) and buy it with cash... Wait and hour to activate it, and then just type in the number that was on the card.

 

Again, this goes to prove just how (evil) genius the author of this bug is.

 

If there is ever a legal investigation that can somehow trace the MoneyPak payment, I would be happy to participate in any way possible!



#52 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 September 2013 - 03:12 PM

OH, i recommend you NOT move your files.   when you pay the ransom it goes through the file list it had encrypted (and willingly displays you on the initial popup).  If you move the files or deny access to them then the decryption process will not happen properly as it did for me..  In my case, EVERY FILE it had access to was already futzed so limiting it's access would have been a futile activity.

 

What i didn't test is once it goes through the decryption, it tells you to check ll your files (in my case was hundreds of thousand ms office and jpg files) and any files that were NOT decrypted, you should place them on your desktop and press the retry button...   

 

I randomly tested sections of my files, and determined that all seemed to be decrypted.  at that point i pulled the network plug and then the power plug on the infected machine until i can backup the hard drive on it and format it. (pulling power plug was mainly to stop users from trying to use it) 

 

IF you do move your files or change permissions paying MAY still work if you put the files on your desktop as the virus tells you to do after it goes through it's pre-recorded encrypted file list.... But I cannot comment if this works or not.

 

Each situation is different, i am just trying to supplement the knowledge on this infection the best i can.   



#53 SYKES42

SYKES42

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 09 September 2013 - 03:12 PM

so, Greendot primate loser company is worthy of my ire as well?

 

we are restoring, but dang i'd like to catch this idiot at his ATM, even if it is in beijing



#54 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 09 September 2013 - 03:17 PM

I am currently looking into this malware. Would one of you, that hasn't paid the ransom yet, be open for a small remote session using TeamViewer to gather a few additional information?

Thanks :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#55 solomonshv

solomonshv

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 September 2013 - 03:25 PM

I am currently looking into this malware. Would one of you, that hasn't paid the ransom yet, be open for a small remote session using TeamViewer to gather a few additional information?

Thanks :).

 

someone here jumped and removed the virus from the infected system. what i can do for you is give you a file before and after it was encrypted. i can also pull files out of the malwarebytes quarantine and send that to you. would that be useful?



#56 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 09 September 2013 - 03:34 PM

Thank you solomonshv,

Someone else was a little bit faster than you though :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#57 solomonshv

solomonshv

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 September 2013 - 03:44 PM

someone always is. that's 3 times I've been beaten to the punch to something today



#58 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 09 September 2013 - 03:51 PM

Does your offer still stand, solomonshv? :)
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#59 solomonshv

solomonshv

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 September 2013 - 03:54 PM

Does your offer still stand, solomonshv? :)

 of course. just tell me where to send this stuff. i didn't see an e-mail address in your profile.



#60 Chuck Sp

Chuck Sp

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 09 September 2013 - 04:35 PM

So does anyone have any vector information?  How is this contracted?  What can we do to prevent it?  Its a game changing virus and if it cant be prevented and cant be stopped except by a backup... who wants to have to do a full server restore every damn time an end user gets some damn spyware?

 

Whoo, this thing has my stomach in knots.






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users