StarDestroyer.Net BBS

Posted: **2016-11-30 06:38am**

I have no idea how, but this appeared on my system. It says I have until 5 December to pay the ransom or it will encrypt my computer files

Now most of my important files are pretty much back up onto a separate hard drive, although it was connected to my computer at the time the cryptolocker appeared.

I have been googling how to deal with cryptolocker and am going to try some anti malware programs. But anyone have ideas how to deal with cryptolocker. Any help is appreciated.

Posted: **2016-11-30 06:59am**

turned your files to mp3 and stuff? Happened at my workplace a couple times. They had to contact the hijackers to pay the ransom but the hiajckers came them the key for free since they'd already got all the money they wanted.

That's the office rumour anyway.

eta: ignore me. this seems to be something different if it's claiming it's going to encrypt your files rather than already having done and selling you the decrypt.

Posted: **2016-11-30 07:11am**

Actually I just checked. A lot of files are already encrypted. Presumably the ones that aren't, happened because my antivirus deleted it.

The message pretty much reads that if this appears instead of the window, its because the antivirus has deleted it. Damn. I had in the last 2 weeks changed my external hard drive from a 3 TB to a 8 TB one and now plan to use the 3 TB one as a HTPC drive. So I wiped off the non video files form the old external hard drive.

Posted: **2016-11-30 07:24am**

It had a nice message

Support e-mail: suppcop@india.com suppcop@yandex.ru

Your personal files encryption produced on this computer: photos, videos, documents, etc.
Encryption was produced using a unique public key RSA-2048 generated for this computer.

To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow to decrypt the files,
located on a secret server on the Internet; the server will destroy the key after 120 hours.

After that nobody and never will be able to restore files.

To obtain the private key for this computer, you need pay 1.95 Bitcoin (~1442 USD)

---------------------------------------------------------------------------------------------------

Your Bitcoin address:

18K5DVxPxepXPNULzdxx1GGCEPDoEUuG3A

You must send 1.95 Bitcoin to the specified address and report it to e-mail customer support.

In the letter must specify your Bitcoin address to which the payment was made.

---------------------------------------------------------------------------------------------------

The most convenient tool for buying Bitcoins in our opinion is the site:

https://localbitcoins.com/

There you can buy Bitcoins in your country in any way you like, including electronic payment systems,
credit and debit cards, money orders, and others.

Instructions for purchasing Bitcoins on account localbitcoins.com read here:

https://localbitcoins.com/guides/how-to-buy-bitcoins

Video tutorial detailing on buying Bitcoins using the site localbitcoins.com here:

http://www.youtube.com/watch?v=hroPcR-0zSI

How to withdraw Bitcoins from account localbitcoins.com to our bitcoin wallet:

https://localbitcoins.com/faq#howto_buy

Also you can use to buy Bitcoins these sites:

https://www.bitstamp.net/ - Big BTC exchanger
https://www.coinbase.com/ - Other big BTC exchanger
https://www.moneypakforbitcoins.us/ - Buy BTC via Green Dot MoneyPak
https://btcdirect.eu/ - Best for Europe
https://coincafe.com/ - Recommended for fast, many payment methods
https://bittylicious.com/ - Good service for Europe and World
https://www.247exchange.com/ - Other exchanger

Posted: **2016-11-30 07:45am**

There are a few possible ways to deal with this. If you have VSS active on your computer, you may be able to restore your files using previous versions. If your backups aren't encrypted (which is not guaranteed, since these things target all drives they can find), you can restore them from backup. Alternatively, if those aren't options, some variants of cryptolocker have been cracked, and utilities exist to decrypt the files. The one catch for that is that not all variants have been cracked, and even if you've been hit with one of the ones that has, the utility requires both an encrypted and decrypted version of the same file in order to recover the key. Do the encrypted files have different file extensions? If so, that can help determine what version you were hit with, and whether a decryption utility exists for it.

Of course, before you do any of these, you'll obviously want to make sure that the ransomware is completely scrubbed from your computer, otherwise it will just encrypt any files you are able to recover.

EDIT: Even if no decryption utility exists for the version you were hit with yet, it may be a good idea to hang onto the encrypted files, since one might be developed in the future if someone is able to recover the keys they use.

Posted: **2016-11-30 07:53am**

It says that the reason the cryptolocker isn't being displayed is that my antivirus had already deleted cryptolocker. As a test, I created a new word document, and its not encrypted. But what's the best software to make sure its completely scrubbed.

My next plan is to restore it on my old external hard drive. As it happened I only changed my 3 TB hard drive to an 8 TB hard drive 2 weeks ago. Most of my video files in the old one are still the same, so all I need to do is copy them again after the ransomware has been scrubbed. Unfortunately a few other useful files such as pdfs, electronic books etc I deleted from the old drive to make room, as I was planning to turn the old 3 TB drive into a new hard drive for my HTPC.

If I can recover the files, I should be good. I have added a few new files, but since they are mainly in the form of news articles I found interesting, it should be easy enough to track down the original sites and redownload them.

Edit - If I can't recover the files, I would rather pay an honest professional to recover the lost files than the blackmailers.

Edit 2 - a quick look at my external hard drive, and not all files are encrypted, but a lot are.

Edit 3 - as well as getting an extra external hard drive for back up, what's a way to prevent this ransomware infecting the computer. I swear I don't remember clicking any attachment.

Posted: **2016-11-30 09:30am**

You don't actually have to click anything. Malware has evolved from the good old days.

Posted: **2016-11-30 09:42am**

Shit. According to the link it can affect via newsites. I do visit some newsites and get articles which I find interesting.

Posted: **2016-11-30 09:58am**

OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.

Posted: **2016-11-30 10:09am**

I've had a lot of success using Trend Micro's Ransomware File Decryptor at work. Kaspersky also provides a bunch of decryption tools.

Posted: **2016-11-30 10:52am**

Using some of the links, its identified the ransom ware as Pclock (updated) based on the ransom notes but it couldn't identify it based on the encrypted file.

So far it appears to be immune to decryption since they updated it. It poses as a cryptolocker clone.

Posted: **2016-11-30 11:23am**

Ace Pace wrote:OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.

Is it worth buying an anti malware program?

Posted: **2016-11-30 11:37am**

Emsisoft has an updated Pclock decryptor here, give that a shot.

Posted: **2016-11-30 12:21pm**

mr friendly guy wrote:
Ace Pace wrote:OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.
Is it worth buying an anti malware program?

Anti-malware programs can't catch malware that's not in their database. You might be better off running noscript and disabling flash. (Two vectors that viruses can infect your machine without clicking on anything.)

Posted: **2016-11-30 04:33pm**

General Zod wrote: Is it worth buying an anti malware program?

Anti-malware programs can't catch malware that's not in their database. You might be better off running noscript and disabling flash. (Two vectors that viruses can infect your machine without clicking on anything.)[/quote]

No. Basically all anti-virus programs are crap. If you must use one, use the built in AV with Windows 10, atleast it won't slow down your PC.

I'd not care about noscript or disabling flash or all the usability breaking suggestions. I'll repeat again. There are two ways basic malware (and all cryptolocker stuff is basic) can reach your PC.

1 - You're running out of date software. Most malware you find online does not contain new exploits (ways to attack your PC). It's working off the fact most people keep their Chrome open for months, or refuse to let Windows Update do it's job. So it can attack through Flash and other browser bugs.
2 - You got convinced for some reason to let an unknown file execute on your PC. It could be an executable. A "smart" PDF. A word document with macros enabled.

Fixing (1) is a matter of just letting your PC do it's job. Fixing (2) is habit changing.

Posted: **2016-11-30 05:17pm**

Ok. It doesn't seem to be encrypting any new files. But what should I use just to make sure I have scrubbed it totally from my system before I try copying the back up files.

Executor32 wrote:Emsisoft has an updated Pclock decryptor here, give that a shot.

I read that. They also mention that the updated Pclock isn't broken yet, because they were actually hacking the hackers and getting their decryption keys, but currently the hacker changed tactics.

Posted: **2016-11-30 05:31pm**

Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.

Posted: **2016-11-30 05:46pm**

mr friendly guy wrote:Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.

Don't. Just don't. Just run Defender. I can't repeat this enough.

Anti viruses are at best an emergency stop if a malware successfully attacked your PC. Most of them are utter trash that just increase your attack surface(*). Run something widely used that does minimum damage and they all pretty much defend against the same stuff.

(*) see Wired's sensational but accurate article.

One of my part time jobs involves finding undetected malware and writing stuff about it. You'd think this is hard, but I've yet to run across interesting malware that was detected by AVs...

Posted: **2016-11-30 05:54pm**

Ace Pace wrote:
mr friendly guy wrote:Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.
Don't. Just don't. Just run Defender. I can't repeat this enough.

Anti viruses are at best an emergency stop if a malware successfully attacked your PC. Most of them are utter trash that just increase your attack surface(*). Run something widely used that does minimum damage and they all pretty much defend against the same stuff.

(*) see Wired's sensational but accurate article.

One of my part time jobs involves finding undetected malware and writing stuff about it. You'd think this is hard, but I've yet to run across interesting malware that was detected by AVs...

How do I make sure I have scrubbed Pclock out? I assumed whatever software that deleted it, could have just done it too late as it had encrypted a lot of files, but I am no expert and am not sure if anything is left of the malware. I am hoping to access my deleted file from my untouched external hard drive, but I want to make sure this is gone before I copy it back.

Edit - running windows defender scan. Already detected a trojan. Lets see what it shows up

Posted: **2016-11-30 08:06pm**

I find Malwarebytes is pretty effective at rooting out a lot of infected files that some other scanners might miss, so it wouldn't hurt to scan your computer with it to make sure everything is cleaned out.

Posted: **2016-12-01 07:58am**

Restoring files now. Unfortunately recuva just finds the file, but not their folder. Windows 10 then sucks for searching for files or folders, because it keeps on suggesting I look online. Anyone know how to get it just to search files or folders.

Posted: **2016-12-01 06:36pm**

Its going to be a long haul restoring the files. However made some interesting discoveries about this ransomware.

There are certain files it won't encrypt. Old .htm files are left alone. Also .png files are untouched. Currently have got back most of the video files which take up the most memory, and useful pdf files from news etc. Important documents like my CV is recovered as well, as well as excel files which I use to keep track of rent, interest, bank accounts etc. So the important things have been recovered.

Thanks to all who helped. It looks like I am going to fork out a few hundred for another 8 TB hard drive, which I will keep separate from the desktop for safety. Its just pure luck that the ransomware attack occurred as I was upgraded my external hard drive.

StarDestroyer.Net BBS

cryptolocker

cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker

Re: cryptolocker