Jump to content


Photo
- - - - -

Cryptolocker Ransomware


  • Please log in to reply
15 replies to this topic

#1 fiveworlds

fiveworlds

    Organism

  • Senior Members
  • 1,470 posts
  • LocationSomewhere on the internet

Posted 22 April 2016 - 08:47 PM

So here I was minding my own business when bam!! Out comes a popup demanding bitcoin. These spammers are getting real creative nowadays. Oh well couldn't pay them even if I wanted to. Does anybody know how to reverse cryptolockers encrytion on my files?? I'm assuming system restore will still work.

 

OrYz8jGh.jpg


Edited by fiveworlds, 22 April 2016 - 09:02 PM.

  • 0

#2 studiot

studiot

    Genius

  • Senior Members
  • 6,175 posts
  • LocationSomerset, England

Posted 22 April 2016 - 09:12 PM

Turn it off now.

 

Can you

1) Find another pc to talk to us on

 

2) Do you have any backups or shadow copies.

 

3) Are you capable of removing the hard drive and looking at it from another system?

 

4) Sytem Restore won't help

 

The encryption can't be broken, it is a damage limitation exercise.

 

Sorry


  • 0

#3 Strange

Strange

    SuperNerd

  • Senior Members
  • 11,319 posts
  • Location珈琲店

Posted 22 April 2016 - 09:35 PM

If it is the original Cruyptolocker then you can get a free recovery key: https://en.wikipedia...covery_of_files

 

If it is another variety, you may be out of luck (a few others have been cracked). Otherwise, if you don't have backups and don't want to pay, then you have lost the data.

 

You will also have to make sure the malware is removed (Malwarebytes is usually good at this.)


  • 0

#4 fiveworlds

fiveworlds

    Organism

  • Senior Members
  • 1,470 posts
  • LocationSomewhere on the internet

Posted 22 April 2016 - 10:18 PM

Otherwise, if you don't have backups and don't want to pay, then you have lost the data.

 

 

There is no guarantee if I pay them that they will let me encrypt the data they could just ask for more bitcoin.

 

2) Do you have any backups or shadow copies.

 

3) Are you capable of removing the hard drive and looking at it from another system?

 

4) Sytem Restore won't help

 

 

 

2) I had they're gone now

3) Of course

4) Yeah it'll do nothing.

 

Maybe I'll just update to windows 10.... sigh


  • 0

#5 Strange

Strange

    SuperNerd

  • Senior Members
  • 11,319 posts
  • Location珈琲店

Posted 22 April 2016 - 10:28 PM

 

There is no guarantee if I pay them that they will let me encrypt the data they could just ask for more bitcoin.

 

From what I have read, they can usually be trusted in this way (after all, if they got a reputation for not providing a decryption key, then people would stop paying). There are, as with any business, a few rogue traders.

 

I would invest in a proper backup solution to make sure it can't happen again.


  • 0

#6 fiveworlds

fiveworlds

    Organism

  • Senior Members
  • 1,470 posts
  • LocationSomewhere on the internet

Posted 22 April 2016 - 10:34 PM

I would invest in a proper backup solution to make sure it can't happen again.

 

Yeah it would be lovely to be able to afford one. So tempted

del /s /q /f c:\*.LOCKED


					
					

Edited by fiveworlds, 22 April 2016 - 10:35 PM.

  • 0

#7 studiot

studiot

    Genius

  • Senior Members
  • 6,175 posts
  • LocationSomerset, England

Posted 22 April 2016 - 11:11 PM

 

3) Of course

 

Good, you may be able to get some of the data back then.

 

Temporary files made by Office, for instance, are not locked.

 

The process working its way through the list of files with certain extensions (jpg, doc etc) and making an encrypted copy.

and then deleting the original.

The orginal is not deleted immediately.

So the original may be still there.

If deleted it may not have been overwritten, which is the reason I said 'turn it off now', in which case the original may be recovered by an undelete program.

 

But you must do this from another machine, the ransomware will not then run if the drive is slaved.

 

 

As to removing the virus,that is usually not too bad, use combofix to kill any cloaking rootkit.

Malwarebytes will rid you of the executable only, but there it has a recovery method.

 

 

 

Good luck


  • 0

#8 StringJunky

StringJunky

    Genius

  • Senior Members
  • 5,534 posts
  • LocationUK

Posted 22 April 2016 - 11:21 PM

You could try Recuva (free) to find and recover the deleted files StudioT mentioned.

 

https://www.piriform.com/recuva


  • 0

 Education, like life, is a journey not a destination


#9 Strange

Strange

    SuperNerd

  • Senior Members
  • 11,319 posts
  • Location珈琲店

Posted 22 April 2016 - 11:27 PM

Yeah it would be lovely to be able to afford one. So tempted

 

I pay $60 a year for a cloud backup service. I think it is worth it...


  • 0

#10 StringJunky

StringJunky

    Genius

  • Senior Members
  • 5,534 posts
  • LocationUK

Posted 23 April 2016 - 05:01 AM

Here's good breakdown of the malware by Panda Security.

 

http://www.pandasecu...e/cryptolocker/


  • 0

 Education, like life, is a journey not a destination


#11 studiot

studiot

    Genius

  • Senior Members
  • 6,175 posts
  • LocationSomerset, England

Posted 25 April 2016 - 10:01 AM

Note Cryptolocker is not the only ransomware around.

 

I have just received the following notification.

 

 

Beware New Mutant Virus

 

 

 

Usually one virus infection is enough to contend with: whether it steals your data or empties your online bank account, if a virus has managed to sneak through your levels of protection, removing it from Windows – and recovering from the damage – can be quite a task.

 

 

But the latest threat to strike the Internet is even worse than that: it appears hackers have managed to create a mutant virus by combining two nasty pieces of malware.

 

The new threat, called GozNym, is a hybrid of two existing infections, called Gozi and Nymaim, and is a persistent and powerful Trojan, according to security researchers at IBM.

 

Nymaim is a Trojan that attempts to lock up any Windows systems that it infects and demands a ransom to unlock the system.

 

Gozi is zombie infection that hacks into your browser in order to steal information.

 

The hybrid of these two is even worse: it steals banking details so that hackers can access online accounts, taking features from each of its two parent viruses. And, it is so potent that security researchers believe it managed to steal over £2.5 million in just a few days.

 

The malware infection spreads through exploit kits buried on either hacker controlled websites, or legitimate sites that have been compromised.

 

Running an online anti-virus scan, such as that from TrendMicro, should detect and remove the infection. 

 

Unfortunately, this hybrid virus is just part of a worrying new trend. Hackers are increasingly taking the best bits of existing malware infections to create new, more powerful viruses.

 

It also allows hackers to create new malware infections very quickly, which is particularly dangerous since these infections will typically not be detected by anti-virus software until the security companies have detected it first and managed to produce a virus definition.

 


  • 0

#12 StringJunky

StringJunky

    Genius

  • Senior Members
  • 5,534 posts
  • LocationUK

Posted 25 April 2016 - 11:36 AM

Note Cryptolocker is not the only ransomware around.

 

I have just received the following notification.

 

In Windows, a good step is to not use the main admin user account for routine tasks and browsing. I use a standard account, which has limited admin privileges, for my daily use. Linux has been so strong because you have to sign in for admin level privileges everytime and it cannot be overridden; Using Windows in Standard mode for routine use achieves the same end and leaving the admin account for only when absolutely  necessary. Using UAC at full protection is also a good idea... pain in the ass though it is at first,


Edited by StringJunky, 25 April 2016 - 11:39 AM.

  • 0

 Education, like life, is a journey not a destination


#13 Greg H.

Greg H.

    Organism

  • Senior Members
  • 1,275 posts
  • LocationRichmond, VA

Posted 25 April 2016 - 04:46 PM

Hackers gonna hack.  The best thing you can do is:

A) Assume you will, at some point, be hacked.

B) Make sure that you have a good damage control strategy for when it happens.


  • 0

Religion is about belief regardless of the facts and science is about the facts regardless of belief.

To be fair, bananas are like 90% horse.

Remember - if the predictions of your theory disagree with reality, it is not reality that is wrong.

#14 Mordred

Mordred

    Resident Expert

  • Resident Experts
  • 4,088 posts

Posted 29 April 2016 - 04:41 AM

C) never use your computer for anything financial oriented. (I only ever type prepaid master card numbers online. Limits significantly the potential loss) I also never access any account via online.
  • 0
http://www.einsteins.../LightCone.html
http://cosmology101.wikidot.com/main
http://cosmocalc.wikidot.com/start
If you wish to change the rules, you must first understand the rules.

#15 studiot

studiot

    Genius

  • Senior Members
  • 6,175 posts
  • LocationSomerset, England

Posted 29 April 2016 - 10:00 AM

 

C) never use your computer for anything financial oriented. (I only ever type prepaid master card numbers online. Limits significantly the potential loss) I also never access any account via online.
 

 

Nice work if you can get it.

 

But if you live in the EU, particularly in the UK, you are required by law to do many things online these days. from driving licence to tax to farm movemnt orders to all the other umpteen government forms we have to deal with.

Business is also trying to force this more and more.


  • 0

#16 Bigmazzy

Bigmazzy

    Lepton

  • New Members
  • 1 posts

Posted 23 November 2016 - 07:54 PM

to avoid ransomware viruses the best one can do - to do as much back-ups as possible, avoid dowloads from unknown sources and do not open doubtful mailings, nowdays especially dangerous are so-called scandinavian ransomware viruses, such as Cerber, Locky, Thor and Aesir, it's description could be found here Newcomers aren't allowed to post links due to increased spam traffic.


Edited by Phi for All, 23 November 2016 - 08:11 PM.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users