Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

CryptoLocker developers charge 10 bitcoins to use new Decryption Service


  • Please log in to reply
64 replies to this topic

#31 itsMeRandy

itsMeRandy

  •  Avatar image
  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 05 November 2013 - 08:49 AM

I'm pretty sure we are set. FW blocks any zbot. Mail not allowed to receive *.exe. FW blocks malicious/suspicious sites, etc and added DGA awareness. Plus, we use domain wide backup strategy. The individual machines if hit would be our weak link only if it somehow bypasses the FW. 

 

My question: Has a MITM been used during payment/decryption process?



BC AdBot (Login to Remove)

 


#32 kenjancef

kenjancef

  •  Avatar image
  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, USA
  • Local time:12:57 AM

Posted 05 November 2013 - 08:58 AM

A cautionary tale; Many many years ago we faithfully backed up a server using Backup Exec, used many tapes over months, then one day we needed to restore.  Unfortunately no one had ever tested the backups,  Backup Exec had been misconfigured and there was no way to restore, all the tapes were useless.

 

So in addition to implementing a good Backup plan, be sure to test your Backup plan, if you can't restore it's not much of a Backup plan.

 

Yea, that's the one thing we always did when implementing backups, testing... it sucks when there is just one file, a VERY important file, that a secretary deletes by accident, and during the restore you find that the backups didn't work... so we always do a test backup, pick a good bunch of files that aren't in use at the time and hang out till the backup is done, then do a restore. 

 

Great tip...



#33 raj1234

raj1234

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 05 November 2013 - 09:19 AM

 We paid originally and it decrypted files. But some files are still encrypted. I tried new Decryption Service via tor project and uploaded about 10 files.. After this, within a minute it came up saying "This file is not encrypted, Please select another file"

 

 Has Virus damaged our files, permanently?

 

 I have also tried old and new cryptolocker versions to decrypt problem files, it comes up saying,
"Perhaps the file may be damaged or used by another process" Error code: 6007 (0x00001777) The specified file is not encrypted"

 

 So, looks like these files are not encrypted. But, they are not opening. There are quite a few files like this. Not sure what happened to them and is there a way to recover.

 

 I read below on another site. And in our case, decryption tool is saying that some files are not encrypted (which are not opening), probably because Virus managed to encrypt the file with AES key but then didn't encrypt using public key. What to try next, any suggestions?



#34 Netghost56

Netghost56

  •  Avatar image
  • Members
  • 976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:57 PM

Posted 05 November 2013 - 10:03 AM

Not sure I would trust the service. Who's to say they're not copying any files that are uploaded, unencrypting them, and keeping them for later use???



#35 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,075 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:57 AM

Posted 05 November 2013 - 12:50 PM

Your right. We have no idea. I can confirm that it worked on a sample that was previously submitted here and that the user paid the ransom on.

#36 Moose_Valley

Moose_Valley

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 05 November 2013 - 05:43 PM

Your right. We have no idea. I can confirm that it worked on a sample that was previously submitted here and that the user paid the ransom on.

 

Not sure I would trust the service. Who's to say they're not copying any files that are uploaded, unencrypting them, and keeping them for later use???

 

 

Your right. We have no idea. I can confirm that it worked on a sample that was previously submitted here and that the user paid the ransom on.

 

They would certainly be keeping and checking out all files uploaded to their "service".  I would strongly advise against uploading anything containing sensitive or private information.

 

Can't help thinking that this could be an opportunity to hit back at them?  Have some sort of payload hidden in a file which triggers when they open it ... it might not even do any damage, but instead provide information that could be used to identify / track down the bastards.



#37 RobinHoodSnr

RobinHoodSnr

  •  Avatar image
  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:06:57 AM

Posted 06 November 2013 - 02:03 AM

Matter of interrest...I would beware of files being Encrypted TWICE...as this means ( only a "guess" here ) once you pay the CURRENT ransom...it will decrypt your files, but the files will STILL be encrypted...seeing its been encrypted twice...meaning, the FIRST layer of encryption is still there, so you'll need the first layers key-code to decrypt THAT again :(

 

This scenario might show its face if you ran an Anti Virus that deleted your PREVIOUS virus and registry-keys...and got re-infected!


Edited by RobinHoodSnr, 06 November 2013 - 02:09 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#38 Harpoon76

Harpoon76

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 06 November 2013 - 11:34 AM

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

 

How is CrashPlan different from online backup?

Unlike ordinary online backup, CrashPlan lets you back up to other destinations in addition to online. You can back up to your other computers, external hard drives and to computers that belong to friends and family for free. If you want to back up online too, purchase a CrashPlan+ subscription.

 

Whilst I do pay for a CP+ subscription to keep a copy of my data offsite, I also have CP backing up to a USB HD on my server.  The folder / file structure on the USB shows CP de-dupes / compresses and stores the file in it's format eg

 

CrashPlanFiles.jpg

 

 

I've also used CP with a couple of customers and the only downside is you can't easily point the backup destination at a NAS UNC share.  There is an unsupported method which involves some batch file hacking here.

 

Hope this helps.

 

Chris.



#39 PeterQ

PeterQ

  •  Avatar image
  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland New Zealand
  • Local time:05:57 PM

Posted 06 November 2013 - 08:14 PM

I have two drives with an operating system on both 1 is c drive which is the main OS and d drive for backups and other things , if I happened to get this virus would it just affect my C drive or both, does anyone know?



#40 TsVk!

TsVk!

    penguin farmer


  •  Avatar image
  • Members
  • 6,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:57 PM

Posted 06 November 2013 - 11:00 PM

I have two drives with an operating system on both 1 is c drive which is the main OS and d drive for backups and other things , if I happened to get this virus would it just affect my C drive or both, does anyone know?

that depends if the drives are mapped to each other. this virus will encrypt anything it can see.



#41 TsVk!

TsVk!

    penguin farmer


  •  Avatar image
  • Members
  • 6,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:57 PM

Posted 06 November 2013 - 11:05 PM

I really appreciate this thread/forum topic guys, and have taken some great experience from others, and others mistakes.

 

Since applying new group policy changes suggested here our group infection rate has dropped from very low to 0.

 

Thanks again great community!


Edited by TsVk!, 07 November 2013 - 12:32 AM.


#42 BabylonHoruv

BabylonHoruv

  •  Avatar image
  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 07 November 2013 - 04:01 PM

Bitcoin price has been going up rapidly lately.  I wonder if this is part of why?



#43 Animal

Animal

    Bleepin' Animinion


  •  Avatar image
  • Helper Emeritus
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:57 PM

Posted 07 November 2013 - 05:10 PM

http://www.businessinsider.com/bitcoin-passes-300-dollars-2013-11

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

#44 TsVk!

TsVk!

    penguin farmer


  •  Avatar image
  • Members
  • 6,938 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:02:57 PM

Posted 07 November 2013 - 05:23 PM

And to think I shunned bitcoin last year at $30. Could have made a bomb of cash on this wave...



#45 bludgard

bludgard

  •  Avatar image
  • Members
  • 942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:11:57 PM

Posted 07 November 2013 - 11:39 PM

 

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

I was wondering if this bugger can encrypt an encrypted and/or a password protected back-up drive/partition etc.?

I'll have to try when I get it all set up....lol






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users