cryptolocker virus help

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
anyone met this? It corrupts document files and demands $300 to
unencrypt. It has wiped our many small companies in the US and here in
the UK. It appeared in the last month or two. No one knows how to
unencrypt files...see
http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware/

Where are these bastards? Can they be tracked down?

Re: cryptolocker virus help

On Mon, 21 Oct 2013 17:03:37 +0100

Quoted text here. Click to load it

Not without infinging on their right to privacy.

Re: cryptolocker virus help


Quoted text here. Click to load it

... surfaced early last month ...
... the malware spreads ...
... the most destructive virus in 13 years ...
... there is no known decryption as yet ...

Where did I read this before?
So do we now have to alert all people in our address book???


As always ... recovery from backups is the best option.

By the way this is the first time I hear about this ransomware.
Also nice is the heading of the article: 'Whatever you do, don't PAY'
and on page 2 one can read: 'lose your files or pay the bad guys with a
credit card to get the unlock code'

--  
Fred W. (NL)

Re: cryptolocker virus help


Quoted text here. Click to load it

And it is a trojan, not a virus.

What makes this difficult is their use of the Windows Crypto API.

Make sure you back up your data and treat encrypted data a complete loss as  
if all the data files had been deleted.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: cryptolocker virus help

On Mon, 21 Oct 2013 14:30:18 -0400

Quoted text here. Click to load it

:o)

Re: cryptolocker virus help

Per David H. Lipman:
Quoted text here. Click to load it

Could there be a way to remove the .DLLs or whatever behind Windows'
Crypto API without bringing the system to it's knees?

i.e. If one is not explicitly encrypting anything in their normal
workflow, does XP need that API?
--  
Pete Cresswell

Re: cryptolocker virus help


Quoted text here. Click to load it

Unfortunately, no.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: cryptolocker virus help

Per David H. Lipman:
Quoted text here. Click to load it

That would be a good thing, right?   i.e. if XP does not the API, just
delete it and CryptoLocker would be unable to encrypt anything.
--  
Pete Cresswell

Re: cryptolocker virus help

On 2013-10-23 11:13 AM, (PeteCresswell) wrote:
Quoted text here. Click to load it

OP's question was ambiguous. I parse David's answer as "No, you can't  
delet the *.dll, Windows needs it."

HTH

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: cryptolocker virus help


Quoted text here. Click to load it

Yes  ;-)

There are many OS components and software that are dependent upon them including MS  
Office.



--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: cryptolocker virus help

Per David H. Lipman:
Quoted text here. Click to load it

To be truthful, that's kind of what I figured....

But one can always hope..... -)
--  
Pete Cresswell

Re: cryptolocker virus help

"(PeteCresswell)" wrote:

Quoted text here. Click to load it

No.


Yes.

Let me add some technical info here. The malware uses the crypto
functions in advapi32.dll and a few from crypt32.dll. Advapi32 is a
core system dll, i.e. Windows won't run without it. Crypt32 is also
needed for maintaining the system's digital certificate store.

The sample I have also makes use of the P4 extended SSE instruction
set, so if you're running on older hardware (e.g. a Pentium 3 or
perhaps an early P4) the executable won't run.



Re: cryptolocker virus help

On Wed, 23 Oct 2013 23:39:03 +0100

Quoted text here. Click to load it

Interesting, thanks Ant.

Re: cryptolocker virus help

"FromTheRafters" wrote:

Quoted text here. Click to load it

You're welcome, but it's pretty stoopid if you ask me! (I take it you
are referring to the use of SSEs). They use MOVQ in several places to
transfer a quadword from a MMX register on the co-processor into the
stack. The register contains zeros. How that's better than doing
something like PUSH 0 twice in 32 bit code beats me.



Re: cryptolocker virus help

On Thu, 24 Oct 2013 02:30:56 +0100

Quoted text here. Click to load it

Yep, why limit the size of their own potential market?

Re: cryptolocker virus help


Quoted text here. Click to load it

Still... an improvement over GPcode. { unfortunately }

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: cryptolocker virus help

According to:  
http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-power
shell/

There is a free solution:
================
We have also seen two types of encryption key used by this ransomware.

    Uses a Universally Unique Identifier (UUID) as the encryption key and r
enames it with an extension .FTCODE
    Uses a randomly generated string, 50 characters long and including 4 no
n alpha numeric values as encryption key and renames it with an extension .
BTCODE. This key is generated using the GeneratePassword() command. This ha
ndy function takes 2 parameters: length of the password to create and the n
umber of non-alphanumeric characters to include. Very useful if you have a  
hard time coming up with strong passwords by yourself.

But there's good news. In both cases the encryption key can be recovered wi
thout paying for it. In fact, this can be done using the same PowerShell to
ol that the attackers used.

The first, UUID, key can be retrieved with this command.

    Get-wmiobject Win32_ComputerSystemProduct UUID  

The second with:

    Gwmi win32_computerSystem Model
========

Re: cryptolocker virus help


Quoted text here. Click to load it

I don't think this is the same version.



--  
Sometimes there's a part of me...Has to turn from here and go...Running like  
a child from these warm stars down the seven bridges road. There are stars in  
the southern sky. And if you ever you decide you should go...There is a taste  
of thyme sweetened and honey down the seven bridges road...

Re: cryptolocker virus help

On Saturday, November 2, 2013 1:40:08 PM UTC-5, Dustin wrote:
Quoted text here. Click to load it
"Sorry about that chief."
Guess it is one of those "if it sounds too good to be true..."

Re: cryptolocker virus help


Quoted text here. Click to load it

Hey, for people who might run into trouble with the one you did post the  
url for, it's a way out!

So, not a total loss. :)
  



--  
Sometimes there's a part of me...Has to turn from here and go...Running  
like a child from these warm stars down the seven bridges road. There are  
stars in the southern sky. And if you ever you decide you should go...There  
is a taste of thyme sweetened and honey down the seven bridges road...

Site Timeline