Please help -CryptoLocker ransomware virus on my computer

M

Mohamedg

Member
Joined
Jan 22, 2010
Messages
14
Reaction score
0
Hello All

Please can anyone help. I seem to have a virus on my computer and cannot open any of my documents(Excel, word, pdf, etc). It seems that my files are encrypted and being held ransom. When i went onto the website it says I need to pay $500 to decrypt the file. The message in all my folders is in german or something, is as follows:-



Was ist mit Ihren Daten passiert?
All Ihre Daten wurden mit der starken Verschlüsselung RSA-2048 mit Hilfe des Programms CryptoWall 3.0 geschützt.
Genaueres über das Chiffrieren mit Hilfe der RSA-2048 Schlüssel können Sie hier erfahren: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


Was bedeutet das?
Das bedeutet, dass die Struktur und die Daten innerhalb Ihrer Dateien unwiderruflich geändert wurden,
Sie können sie nicht mehr benutzen, sie lesen oder öffnen, das ist dasselbe, wie wenn sie verloren wären, aber mit unserer Hilfe können Sie sie wiederherstellen.


Wie ist das passiert?
Speziell für Sie wurde auf unserem geheimen Server ein RSA-2048 Schlüsselpaar generiert - ein öffentlicher und ein privater.
All Ihre Dateien wurden mit Hilfe des öffentlichen Schlüssels chiffriert, der an Ihr Computer per Internet übergeben wurde.
Das Dechiffrieren Ihrer Dateien ist nur mit Hilfe des privaten Schlüssels und eines speziellen Programms möglich, die sich auf unserem geheimen Server befinden.


Was soll ich tun?
Tut uns leid, aber wenn Sie innerhalb der angegebenen Zeit nichts unternehmen, werden sich die Bedingungen zum Erhalten des privaten Schlüssels und des speziellen Programms ändern.
Wenn Ihnen Ihre Daten viel bedeuten, dann raten wir Ihnen, Ihre Zeit nicht mit der Suche nach anderen Lösungen zu verschwenden, denn solche gibt es einfach nicht.


Um genauere Anweisungen zu erhalten, besuchen Sie bitte unsere persönliche Web-Seite, unten sich einige Adressen aufgeführt, die zu uns führen:
1.http://paytoc4gtpn5czl2.balzakoptions.com/7f8wsk
2.http://paytoc4gtpn5czl2.welcomoptions.com/7f8wsk
3.http://paytoc4gtpn5czl2.visatastor.com/7f8wsk
4.http://paytoc4gtpn5czl2.drezdonhoster.com/7f8wsk

Wenn die Adressen aus irgendeinem Grund nicht verfügbar sind, führen Sie folgende Schritte aus:
1.Laden Sie Tor-Browser herunter und installieren Sie ihn: http://www.torproject.org/projects/torbrowser.html.en
2.Starten Sie den Browser und warten Sie auf die Initialisierung.
3.Geben Sie folgendes in der Adressleiste ein: paytoc4gtpn5czl2.onion/7f8wsk
4.Folgen Sie den Anweisungen auf der Web-Seite.


Nützliche Information:
Ihre persönliche Web-Seite: http://paytoc4gtpn5czl2.balzakoptions.com/7f8wsk
Ihre persönliche Web-Seite (mit TOR): paytoc4gtpn5czl2.onion/7f8wsk
Ihr persönlicher Code (wenn Sie die Web-Seite (oder die TOR Web-Seite) direkt öffnen): 7f8wsk



HOW CAN I GET RIDE OF THIS VIRUS. I CANNOT LOOSE MY FILES. PLEASE HELP
 
Sorry but your files are toast, such is the nature of cryptolocker, you can pay and have them unecrypted but that is about it.

Hopefully your computer is not joined to a network? If you have any mapped drives with right access those documents will be toast as well. Any externals connected, same thing.
 
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.

The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.

Thanks to security experts, an online portal has been created where victims can get the key for free.

The portal was created after security researchers grabbed a copy of Cryptolocker's database of victims.

"This time we basically got lucky," said Michael Sandee, principal analyst at Fox-IT - one of the security firms which helped tackle the cyber-crime group behind Cryptolocker.

Now, security firms Fox-IT and FireEye - which aided the effort to shut down the Gameover Zeus group - have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.

"All they have to do is submit a file that's been encrypted from that we can figure out which encryption key was used," said Greg Day, chief technology officer at FireEye.

Mr Day said people wishing to use the portal - http://www.decryptcryptolocker.com/ - should submit a file that did not contain sensitive information to help it verify which key they needed.


http://www.bbc.com/news/technology-28661463
 
That decryption only applies to a specific strain of Cryptolocker.
Of late there are more syndicates using this technology and the chances of recovery if you do not have backups are not good.
 
To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT.

We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware.

Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker. Having these private keys allows for decryption of files that are encrypted by CryptoLocker.

FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com, where a user can upload an encrypted CryptoLocker file.

Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.

To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.)

Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.

After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com . In addition, your private key will be sent to the email addresses specified.

Are all encrypted files afflicted with CryptoLocker decryptable with this tool?
We believe we recovered everything the from the CryptoLocker database. However, we are aware that there could be a limited data chunk that could be missing which is related to either the takedown or interruptions of the CryptoLocker backend infrastructure. As a result, certain files may not be decryptable. Also, new variants of CryptoLocker may be released at any time, and the tools we discuss here or have made available may not be able to decrypt files infected with these more recent variants.

Does this tool work against CryptoLocker variants?
There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, this tool may not be successful in all decryption processes because of code and functionality variances.

https://www.fireeye.com/blog/execut...-information-for-cryptolocker-decryption.html
 
Last edited:
Took my backups offline as I suspect we may have got an infection.

Just to be on the safe side...

Good news is that things do look good, no news of anything funny yet.

FWIW I also had the nasty clap, luckily I could restore from backups. Luser's laptop, however, was gone, I swapped out the hard drive and installed Windows from scratch. All [encrypted] data was gone forever.
 
You are fortunate, a friend of mine got CTB-Locker. No remedy there.

Since then i made his 'My Documents' and his 'Desktop' to save on DropBox.
 
Ivan Leon said:
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.

The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.

Thanks to security experts, an online portal has been created where victims can get the key for free.

The portal was created after security researchers grabbed a copy of Cryptolocker's database of victims.

"This time we basically got lucky," said Michael Sandee, principal analyst at Fox-IT - one of the security firms which helped tackle the cyber-crime group behind Cryptolocker.

Now, security firms Fox-IT and FireEye - which aided the effort to shut down the Gameover Zeus group - have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.

"All they have to do is submit a file that's been encrypted from that we can figure out which encryption key was used," said Greg Day, chief technology officer at FireEye.

Mr Day said people wishing to use the portal - http://www.decryptcryptolocker.com/ - should submit a file that did not contain sensitive information to help it verify which key they needed.


http://www.bbc.com/news/technology-28661463
Click to expand...

Brilliant! Thanks for this.
 
Electron1 said:
That decryption only applies to a specific strain of Cryptolocker.
Of late there are more syndicates using this technology and the chances of recovery if you do not have backups are not good.
Click to expand...

Deadmanza said:
Brilliant! Thanks for this.
Click to expand...

Note the warning above - there are also new variants that call themselves cryptolocker but are actually other types of ransomware using the same name :mad:
 
Ivan Leon said:
... le epic snippage ...
Click to expand...

Expect newer versions of Cryptolocker to have more nastier payloads - and less chance of recovering your files.

Backups, especially offline backups, is key to prevent you being held to ransom.

Online backups, such as NAS units, is not safe as it may inadvertently overwrite good files with encrypted files (should you have an automatic backup running via script/cronjob in the background).
 
The_Librarian said:
Hope the whole lot will encrypt themselves to heck and leave us honest people alone :mad: :sick:
Click to expand...

Amen.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Info: The original CryptoLocker infection was disabled on June 2nd, 2014 when Operation Gameover took down its distribution network. Since then there have been numerous ransomware infections that have been released that utilize the CryptoLocker name. It should be noted that these infections are not the same infection that is discussed below. If you have recently been infected with something that is calling itself CryptoLocker, you are most likely infected with the TorrentLocker infection. For more information on TorrentLocker, please visit our TorrentLocker support topic. Once at the topic, and if you are a member, you can subscribe to it in order to get notifications when someone adds more information to the topic.
Click to expand...
 
Sysadmin nightmare.

Finish en klaar. Lusers won't understand the issue, they'll merrily plug their own, infected laptop (even if it's blaring out the cryptolocker message) on company network, and will all be :confused: when the files are not available any more... :rolleyes:

Or they think IT have got some kind of magic to make that go away. Which we DO NOT have.
 
CryptoLocker Virus

Thanks Ivan for the feedback

Does this only restore my encrypted file and will the virus still be on the computer? What do I do then?

Thanks again


Ivan Leon said:
To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT.

We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware.

Through various partnerships and reverse engineering engagements, Fox-IT and FireEye have ascertained many of the private keys associated with CryptoLocker. Having these private keys allows for decryption of files that are encrypted by CryptoLocker.

FireEye and Fox IT have created a webpage, https://www.decryptcryptolocker.com, where a user can upload an encrypted CryptoLocker file.

Based on this upload, the user will be provided with the option to download a private key that should decrypt their affected files. The site also provides instructions on how to apply this key to the files encrypted by CryptoLocker to decrypt those files.

To use the site, simply upload an encrypted file without any confidential information. (Please keep in mind, we will not permanently store, view, or modify your file in any fashion.)

Enter your email address, to ensure the private key associated with the file is sent to the correct individual. Ensure you enter the correct number or phrase in the Captcha entry field.

After clicking “Decrypt It!”, you will be presented with instructions to download the Decryptolocker.exe tool from https://www.decryptCryptoLocker.com . In addition, your private key will be sent to the email addresses specified.

Are all encrypted files afflicted with CryptoLocker decryptable with this tool?
We believe we recovered everything the from the CryptoLocker database. However, we are aware that there could be a limited data chunk that could be missing which is related to either the takedown or interruptions of the CryptoLocker backend infrastructure. As a result, certain files may not be decryptable. Also, new variants of CryptoLocker may be released at any time, and the tools we discuss here or have made available may not be able to decrypt files infected with these more recent variants.

Does this tool work against CryptoLocker variants?
There are several variants of CryptoLocker, all functioning in different ways. While these variants do appear similar to CryptoLocker, this tool may not be successful in all decryption processes because of code and functionality variances.

https://www.fireeye.com/blog/execut...-information-for-cryptolocker-decryption.html
Click to expand...
 
Just discovered our server has this virus on it, fk knows how it got there as we have purchased Norton Antivirus on all PC's except 2 which has AVG Internet security 2015 (temporary till we purchased new Nortons).. :cry:
 
Goliath said:
Just discovered our server has this virus on it, fk knows how it got there as we have purchased Norton Antivirus on all PC's except 2 which has AVG Internet security 2015 (temporary till we purchased new Nortons).. :cry:
Click to expand...

Probably got it from Norton. Norton is known to be bloatware rubbish.

Well I guess your server is proper farked now.
 
Goliath said:
Just discovered our server has this virus on it, fk knows how it got there as we have purchased Norton Antivirus on all PC's except 2 which has AVG Internet security 2015 (temporary till we purchased new Nortons).. :cry:
Click to expand...

Only way it could have got on your server is when somebody either used the server (remote desktop) to visit a site of ill repute,and getting infected with the clap, or somebody copying the installer to the server where it installed itself.

Depends on the attack vector/vulnerability as well though.

Hope you can do a successful recovery, this clap is not fun at all. I had it as well, was able to restore from backups.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X