You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

ella

  • *
  • 3
  • +1/-0
      • View Profile
question about cryptolocker
« on: January 18, 2016, 08:06:32 am »
Hi, my computer was attaked about two monthes ago by cryptoloker , i didnt pay the hakers and i did format to my computer lately. 2 questions
1. I saved the discripted files in an external hard drive. Do you think its pointless? Is there any chance of solving it soon?i have the originals copy for some of the discripted files.
2. Is recovery tool (easus)after the format can do any harm?
Thanks, Ella

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #1 on: January 18, 2016, 12:47:40 pm »
@ella, hello - you did the right thing not paying the ransom.

1) Saving your locked files on an external drive is clever and I personally don't think it's pointless.
If by "solving it soon" you mean if the encryption of CryptoLocker is going to be cracked soon and everybody can recover all files - probably not. This is one of the toughest ransomware out there, considering its encryption algorithm.

Any more information about the version of CryptoLocker or about the ransom message?
You can send a few files of the original and the encrypted versions of them, here as an attachment or by leaving me a PM (Personal Message). Me and the STF staff members will try to see what we can do.

2) Recovery tools shouldn't do any harm to the system. Old files recovered by them shouldn't interfere with the Operating System. If there are files with the same name, the recovered files should be created with "(1)" or " - Copy" after the name to be differentiated.

EaseUs has its own file system, so any recovered files are inside that separate file system, and you can choose which files to be recovered and you can select where those files to be exported.

Kind Regards,
Execute

*

ella

  • *
  • 3
  • +1/-0
      • View Profile
Re: question about cryptolocker
« Reply #2 on: January 19, 2016, 10:51:30 am »
Hello and thank you so much for your answer and help.
It's rsa-2048 encryption.
about sending an example files and message- encrypted and originals- do you have an email address I can send it to?   
can't send it here- the files are too big.
thanks, have a good day,
Ella

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #3 on: January 20, 2016, 10:07:59 am »
Hello, ella,
I will talk with our Administrator about the file attachment system.
Meanwhile, you can send your files to this email address: [email protected].

If you find what the ransom note was - that could help too,
as there are ransomware lying about the encryption methods as well.

We will keep you posted about any developments.

Kind Regards,
Execute

*

ella

  • *
  • 3
  • +1/-0
      • View Profile
Re: question about cryptolocker
« Reply #4 on: January 20, 2016, 04:46:24 pm »
Thanks!

I sent it now.

the topic is "קבצים מוצפנים2 "

really appreciate the help.

Ella.

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #5 on: January 20, 2016, 05:32:25 pm »
@Ella,

the files were received successfully.

We will keep you informed with any results.

Best Regards,
Execute

*

Norbert

  • *
  • 2
  • +0/-0
      • View Profile
Re: question about cryptolocker
« Reply #6 on: February 22, 2016, 03:14:34 pm »
Hello!
My computer was attaked about a week ago. The name of the ransomware seems to be "crypt0l0ker" .

I managed to delete the malware, but i can't decrypt the files.

My computer technician said to me, that the only way is to pay the ransom. (But the Links don't work.)

If you want, i can provide some files or information?

This is the begin of the ransom note:
=======================================================================
        !!! ABBIAMO CRIPTATO VOSTRI FILE CON IL VIRUS Crypt0L0cker !!!
=======================================================================
I vostri file importanti (compresi quelli sui dischi di rete, USB, ecc): foto,
video, documenti, ecc sono stati criptati con il nostro virus Crypt0L0cker.
L'unico modo per ripristinare i file è quello di pagare noi. In caso contrario,
i file verranno persi.

[=]  Che cosa è successo ai miei file?

  I vostri file importanti: foto, video, documenti, ecc sono stati
  crittografati con il nostro virus Crypt0L0cker. Questo virus utilizza molto
  forte algoritmo di crittografia - RSA-2048. Rottura di algoritmo di
  crittografia RSA-2048 è impossibile senza la speciale chiave di
  decrittazione.

  Inoltre è possibile contattarci via e-mail: [email protected]
------------------------------------------------------------------------------------

(Sorry for my English.)
Thank you so much for any help!

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #7 on: February 24, 2016, 10:32:36 am »
@Norbert, you are right - unfortunately you have the Crypt0l0ker virus with the same old ransom note, but with new email address given in the description. There is no known 100% working method for the decryption of files.

You might try to Restore your files using Shadow Volume Copies. That can happen with the Windows built-in Shadow Volume copies or with the program ShadowExplorer. That doesn't always work but you can try it.

Also, you might try using a data recovery software.
You can use EasyUS Data recovery which is free or some paid products which are reported to work quite well, like Stellar Phoenix or the one by Pareto Logic. Recovering files with Data recovery software depends on how long ago the files were deleted and if you have formatted your hard drives after removing the virus. Since the virus creates copies of your files which it locks and deletes the original files - you have a chance at recovery.

Best of luck!

Kind Regards,
Execute
« Last Edit: February 24, 2016, 10:53:31 am by Execute »

*

Norbert

  • *
  • 2
  • +0/-0
      • View Profile
Re: question about cryptolocker
« Reply #8 on: February 25, 2016, 03:02:49 pm »
Thank you for the information provided.
I will try to do a recovery. However, there are no shadow copies on the drive and the backup software was not functional.
:-(

Do you think there is a chance that someone manage to create a decryption software in the next few months?
Thank you.

Best regards

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #9 on: February 25, 2016, 04:51:33 pm »
@Norbert,

I am sad to hear that. Well, it is likely that somebody comes up with a decryptor.
There is even newer ransomware that got a working decryptor.

For now, save your crypted files somewhere and wait. You can check Kaspersky's Tools to see if you can have luck with decrypting and if some of the files run with a particular tool - check that tool's page for updates.

Kind Regards,
Execute

*

sc42

  • *
  • 1
  • +0/-0
      • View Profile
Re: question about cryptolocker
« Reply #10 on: February 29, 2016, 05:54:18 pm »
A PC user here unleashed the locky ransomware though a Word attachment to his email. I found encrypted files on 3 NAS's. We immediately shut down and removed his PC from our network. I'm now contemplating my recovery strategy. It was mentioned to me by an IT person that the way locky works is that it resides on the piece of hardware where it first was opened and searches the network for files to affect. Therefore, is it safe to assume that the damage done to the NAS files is stopped, i.e. the ransomeware itself is not resident on the NAS's where it can continue to encrypt more files?

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #11 on: March 01, 2016, 11:37:01 am »
@sc42, hello, short answer - if you are sure all files of the ransomware are wiped out - you should be safe.

Long answer - I would like to think that it is indeed safe to assume that the NAS that got hit with the ransomware is free of the Locky virus.
But first, do a check with an anti-virus again and maybe also try with a different program too, to see if you find anymore infected files -  just in case. It might take more time to do that on the other systems, but I recommend they are checked as well if the virus replicated. There were new variants of the virus that try to evade anti-malware programs. So you had to wait about a day for newer definition updates.

Unless there is a new variant of the ransomware, where it hides in memory (I haven't seen such yet, fortunately), you should be in the clear.

Write if you want to ask something else.

Best Regards,
Execute

*

mcerdem

  • *
  • 11
  • +0/-1
      • View Profile
Re: question about cryptolocker
« Reply #12 on: March 02, 2016, 09:49:35 pm »
@Ella,

the files were received successfully.

We will keep you informed with any results.

Best Regards,
Execute

hi, what was extention of encrypted files ?

*

Execute

  • *****
  • 372
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: question about cryptolocker
« Reply #13 on: March 07, 2016, 11:22:04 am »
@mcerdem, heya - .micro extension - no progress with it too.