Hello guys, i have a problem. Yesterday a friend of mine that has some of my files on his laptop, because mine is broken got hit by some type of ransomware. The virus left a TOR address and when I opened it, it says Alma Locker. I uploaded an attachment to you. The virus also left "Unlock_files_" type of files that have random numbers and letters like Unlock_files_22ry8.html and Unlock_files_22ry8.txt. My files also have these random numbers as extensions, like picture.png.22ry8 and I cant open them. I read on other blogs that this is some sort of file scrambling, and I see that you know a lot about this ransomware issue on Discuss. Is it possible to restore my files and if so, how can I do this?

Hello,

Looks like you have been hit by Alma Locker ransomware. This nasty threat uses TOR networking to communicate with its victims and get them to pay 1 BitCoin ransom payoff and the deadline for this is 5 days. On the tor based web page given to you, you can decrypt one of your files of free, so I suggest you do that right away. Then copy the encrytped files and the decrypted file to a USB drive or a safe device.

Unfortunately at the moment, there is no direct decryption for free that has been released for Alma Locker because, this virus is, well, new. But we have some solutions that you can try. One of them is to use Wireshark while Alma Locker ransomware is still installed on your computer and sniff out the packets of information that this virus may use to send the decryption key to the cyber-criminals server to which it connects to. You can do this by following the instructions in this URL:

http://sensorstechforum.com/find-decryption-key-files-encrypted-ransomware/

Try using this program to inspect outgoing packets from your IP address to the cyber-criminals' server. Be patient and check the packets one by one. Look for any keywords when you inspect them, like RSA, AES, etc. Also, do not forget to configure the program to run on system startup.

Once you have found the key, write a reply here and we are going to attempt and decrypt your files.

Best Regards,
Never

Hi, thanks, trying it now, but I want to know, how to I save the captured files when Wireshark begins scanning on startup. All i see is the command prompt activity but I don't know how to save this.

Hi again, Josiegard

Thanks for asking. On this web link can find detailed information on the commands that will help you create a file that will autorun on startup. Here are the commands to enter in the text document. Pay attention to the "-W" which is for capturing packets. Make sure that the files you saved as .pcap file types so that you can open them for anallyzing with Wireshark later on:

Just got hit by this Alma thing. Thankfully after my last experience with TeslaCrypt, I read your post on how to safely store your important files and protect them from malware and installed a cloud backup program, so now I'm good, just reinstalled Windows logged in the cloud and downloaded the files. That ransomware scum can go to hell!!!

Hi, Ysmil22,

You mean this one? Glad it served it's purpose to someone.

On the tor based web page given to you, you can decrypt one of your files of free, so I suggest you do that right away.

Well, currently that is broken, as you see here:



I suggest all infected users to check it from time to time, and as soon
as they see it is active to try never's advice and decrypt some files.
You might be able to decrypt more than 1 file, but each should be up to 1 MB in size.

Best Regards,
Execute

Hello josiegard,

It looks like you have seen the TCP stream of a packet. Since this model is primarily theoretical, you may not always find the decryption key directly. Sometimes the malware simply connects to the C&C server and sends a key file instead of sending the information directly. Make sure to inspect packets from the post infection traffic. For example, the Alma ransomware may use an exploit kit for infection. To do this, it sends and HTTP request via this kit from your computer to a domain to download the payload. The post traffic after this may be indicated under the "POST" keyword at the beggining of the packet in the "Info" section. Those packets may have some key information about this ransowmare, even thought the chances are not very high.

The main key in using Wireshark is to attempt and investigate the information being transferred from your host to the host of the cyber-criminals. There are many factors in this, such as the encrypted SSL traffic which Wireshark can decrypt and what the virus does, more importantly.