cryptolocker

GEC: Discuss gaming, computers and electronics and venture into the bizarre world of STGODs.

Moderator: Thanas

Post Reply
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

cryptolocker

Post by mr friendly guy »

I have no idea how, but this appeared on my system. It says I have until 5 December to pay the ransom or it will encrypt my computer files

Now most of my important files are pretty much back up onto a separate hard drive, although it was connected to my computer at the time the cryptolocker appeared.

I have been googling how to deal with cryptolocker and am going to try some anti malware programs. But anyone have ideas how to deal with cryptolocker. Any help is appreciated.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
Crazedwraith
Emperor's Hand
Posts: 11862
Joined: 2003-04-10 03:45pm
Location: Cheshire, England

Re: cryptolocker

Post by Crazedwraith »

turned your files to mp3 and stuff? Happened at my workplace a couple times. They had to contact the hijackers to pay the ransom but the hiajckers came them the key for free since they'd already got all the money they wanted.

That's the office rumour anyway.

eta: ignore me. this seems to be something different if it's claiming it's going to encrypt your files rather than already having done and selling you the decrypt.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Actually I just checked. A lot of files are already encrypted. Presumably the ones that aren't, happened because my antivirus deleted it.

The message pretty much reads that if this appears instead of the window, its because the antivirus has deleted it. Damn. I had in the last 2 weeks changed my external hard drive from a 3 TB to a 8 TB one and now plan to use the 3 TB one as a HTPC drive. So I wiped off the non video files form the old external hard drive.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

It had a nice message
Support e-mail: suppcop@india.com suppcop@yandex.ru

Your personal files encryption produced on this computer: photos, videos, documents, etc.
Encryption was produced using a unique public key RSA-2048 generated for this computer.

To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow to decrypt the files,
located on a secret server on the Internet; the server will destroy the key after 120 hours.

After that nobody and never will be able to restore files.

To obtain the private key for this computer, you need pay 1.95 Bitcoin (~1442 USD)

---------------------------------------------------------------------------------------------------

Your Bitcoin address:

18K5DVxPxepXPNULzdxx1GGCEPDoEUuG3A

You must send 1.95 Bitcoin to the specified address and report it to e-mail customer support.

In the letter must specify your Bitcoin address to which the payment was made.

---------------------------------------------------------------------------------------------------

The most convenient tool for buying Bitcoins in our opinion is the site:

https://localbitcoins.com/

There you can buy Bitcoins in your country in any way you like, including electronic payment systems,
credit and debit cards, money orders, and others.

Instructions for purchasing Bitcoins on account localbitcoins.com read here:

https://localbitcoins.com/guides/how-to-buy-bitcoins

Video tutorial detailing on buying Bitcoins using the site localbitcoins.com here:

http://www.youtube.com/watch?v=hroPcR-0zSI

How to withdraw Bitcoins from account localbitcoins.com to our bitcoin wallet:

https://localbitcoins.com/faq#howto_buy

Also you can use to buy Bitcoins these sites:

https://www.bitstamp.net/ - Big BTC exchanger
https://www.coinbase.com/ - Other big BTC exchanger
https://www.moneypakforbitcoins.us/ - Buy BTC via Green Dot MoneyPak
https://btcdirect.eu/ - Best for Europe
https://coincafe.com/ - Recommended for fast, many payment methods
https://bittylicious.com/ - Good service for Europe and World
https://www.247exchange.com/ - Other exchanger
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
Civil War Man
NERRRRRDS!!!
Posts: 3790
Joined: 2005-01-28 03:54am

Re: cryptolocker

Post by Civil War Man »

There are a few possible ways to deal with this. If you have VSS active on your computer, you may be able to restore your files using previous versions. If your backups aren't encrypted (which is not guaranteed, since these things target all drives they can find), you can restore them from backup. Alternatively, if those aren't options, some variants of cryptolocker have been cracked, and utilities exist to decrypt the files. The one catch for that is that not all variants have been cracked, and even if you've been hit with one of the ones that has, the utility requires both an encrypted and decrypted version of the same file in order to recover the key. Do the encrypted files have different file extensions? If so, that can help determine what version you were hit with, and whether a decryption utility exists for it.

Of course, before you do any of these, you'll obviously want to make sure that the ransomware is completely scrubbed from your computer, otherwise it will just encrypt any files you are able to recover.

EDIT: Even if no decryption utility exists for the version you were hit with yet, it may be a good idea to hang onto the encrypted files, since one might be developed in the future if someone is able to recover the keys they use.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

It says that the reason the cryptolocker isn't being displayed is that my antivirus had already deleted cryptolocker. As a test, I created a new word document, and its not encrypted. But what's the best software to make sure its completely scrubbed.

My next plan is to restore it on my old external hard drive. As it happened I only changed my 3 TB hard drive to an 8 TB hard drive 2 weeks ago. Most of my video files in the old one are still the same, so all I need to do is copy them again after the ransomware has been scrubbed. Unfortunately a few other useful files such as pdfs, electronic books etc I deleted from the old drive to make room, as I was planning to turn the old 3 TB drive into a new hard drive for my HTPC.

If I can recover the files, I should be good. I have added a few new files, but since they are mainly in the form of news articles I found interesting, it should be easy enough to track down the original sites and redownload them.

Edit - If I can't recover the files, I would rather pay an honest professional to recover the lost files than the blackmailers.

Edit 2 - a quick look at my external hard drive, and not all files are encrypted, but a lot are.

Edit 3 - as well as getting an extra external hard drive for back up, what's a way to prevent this ransomware infecting the computer. I swear I don't remember clicking any attachment.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
General Zod
Never Shuts Up
Posts: 29205
Joined: 2003-11-18 03:08pm
Location: The Clearance Rack
Contact:

Re: cryptolocker

Post by General Zod »

You don't actually have to click anything. Malware has evolved from the good old days.
"It's you Americans. There's something about nipples you hate. If this were Germany, we'd be romping around naked on the stage here."
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Shit. According to the link it can affect via newsites. I do visit some newsites and get articles which I find interesting.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: cryptolocker

Post by Ace Pace »

OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
Executor32
Jedi Council Member
Posts: 2088
Joined: 2004-01-31 03:48am
Location: In a Georgia courtroom, watching a spectacle unfold

Re: cryptolocker

Post by Executor32 »

I've had a lot of success using Trend Micro's Ransomware File Decryptor at work. Kaspersky also provides a bunch of decryption tools.
どうして?お前が夜に自身お触れるから。
Long ago in a distant land, I, Aku, the shape-shifting Master of Darkness, unleashed an unspeakable evil,
but a foolish samurai warrior wielding a magic sword stepped forth to oppose me. Before the final blow
was struck, I tore open a portal in time and flung him into the future, where my evil is law! Now, the fool
seeks to return to the past, and undo the future that is Aku...
-Aku, Master of Masters, Deliverer of Darkness, Shogun of Sorrow
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Using some of the links, its identified the ransom ware as Pclock (updated) based on the ransom notes but it couldn't identify it based on the encrypted file.

So far it appears to be immune to decryption since they updated it. It poses as a cryptolocker clone.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Ace Pace wrote:OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.
Is it worth buying an anti malware program?
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
Executor32
Jedi Council Member
Posts: 2088
Joined: 2004-01-31 03:48am
Location: In a Georgia courtroom, watching a spectacle unfold

Re: cryptolocker

Post by Executor32 »

Emsisoft has an updated Pclock decryptor here, give that a shot.
どうして?お前が夜に自身お触れるから。
Long ago in a distant land, I, Aku, the shape-shifting Master of Darkness, unleashed an unspeakable evil,
but a foolish samurai warrior wielding a magic sword stepped forth to oppose me. Before the final blow
was struck, I tore open a portal in time and flung him into the future, where my evil is law! Now, the fool
seeks to return to the past, and undo the future that is Aku...
-Aku, Master of Masters, Deliverer of Darkness, Shogun of Sorrow
User avatar
General Zod
Never Shuts Up
Posts: 29205
Joined: 2003-11-18 03:08pm
Location: The Clearance Rack
Contact:

Re: cryptolocker

Post by General Zod »

mr friendly guy wrote:
Ace Pace wrote:OK. The long and short is do what Civil War Man said. Google the ransom letter and see if anything shows up, or the file extensions if your files were also renamed, maybe there's a decryptor. These days, unlikely.

More seriously, this happened due to one of only two reasons.

1 - You're not updating your computer. Your browser and OS.
2 - You downloaded something and executed it.

(1) Is easy to solve. Fucking restart your browser one in 2 weeks and let Windows Update do it's thing (like...be on Win10 and a modern office).
(2) Is harder. You need to make sure that you don't download programs from random websites, or open suspicious office documents.
This can be easily dealt with. Windows (from 8 and up) has something called SmartScreen filter. Leave it working. Also, use a modern Office that does not let you edit files from the internet.
Is it worth buying an anti malware program?
Anti-malware programs can't catch malware that's not in their database. You might be better off running noscript and disabling flash. (Two vectors that viruses can infect your machine without clicking on anything.)
"It's you Americans. There's something about nipples you hate. If this were Germany, we'd be romping around naked on the stage here."
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: cryptolocker

Post by Ace Pace »

General Zod wrote: Is it worth buying an anti malware program?
Anti-malware programs can't catch malware that's not in their database. You might be better off running noscript and disabling flash. (Two vectors that viruses can infect your machine without clicking on anything.)[/quote]

No. Basically all anti-virus programs are crap. If you must use one, use the built in AV with Windows 10, atleast it won't slow down your PC.

I'd not care about noscript or disabling flash or all the usability breaking suggestions. I'll repeat again. There are two ways basic malware (and all cryptolocker stuff is basic) can reach your PC.

1 - You're running out of date software. Most malware you find online does not contain new exploits (ways to attack your PC). It's working off the fact most people keep their Chrome open for months, or refuse to let Windows Update do it's job. So it can attack through Flash and other browser bugs.
2 - You got convinced for some reason to let an unknown file execute on your PC. It could be an executable. A "smart" PDF. A word document with macros enabled.

Fixing (1) is a matter of just letting your PC do it's job. Fixing (2) is habit changing.
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Ok. It doesn't seem to be encrypting any new files. But what should I use just to make sure I have scrubbed it totally from my system before I try copying the back up files.


Executor32 wrote:Emsisoft has an updated Pclock decryptor here, give that a shot.
I read that. They also mention that the updated Pclock isn't broken yet, because they were actually hacking the hackers and getting their decryption keys, but currently the hacker changed tactics.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
Ace Pace
Hardware Lover
Posts: 8456
Joined: 2002-07-07 03:04am
Location: Wasting time instead of money
Contact:

Re: cryptolocker

Post by Ace Pace »

mr friendly guy wrote:Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.
Don't. Just don't. Just run Defender. I can't repeat this enough.

Anti viruses are at best an emergency stop if a malware successfully attacked your PC. Most of them are utter trash that just increase your attack surface(*). Run something widely used that does minimum damage and they all pretty much defend against the same stuff.

(*) see Wired's sensational but accurate article.


One of my part time jobs involves finding undetected malware and writing stuff about it. You'd think this is hard, but I've yet to run across interesting malware that was detected by AVs...
Brotherhood of the Bear | HAB | Mess | SDnet archivist |
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Ace Pace wrote:
mr friendly guy wrote:Further information, I run lavasoft, and presumably this was the program that deleted the ransomware, but too late. I also used Avast free scan and got a few other malware detected and eradicated.
Don't. Just don't. Just run Defender. I can't repeat this enough.

Anti viruses are at best an emergency stop if a malware successfully attacked your PC. Most of them are utter trash that just increase your attack surface(*). Run something widely used that does minimum damage and they all pretty much defend against the same stuff.

(*) see Wired's sensational but accurate article.


One of my part time jobs involves finding undetected malware and writing stuff about it. You'd think this is hard, but I've yet to run across interesting malware that was detected by AVs...
How do I make sure I have scrubbed Pclock out? I assumed whatever software that deleted it, could have just done it too late as it had encrypted a lot of files, but I am no expert and am not sure if anything is left of the malware. I am hoping to access my deleted file from my untouched external hard drive, but I want to make sure this is gone before I copy it back.

Edit - running windows defender scan. Already detected a trojan. Lets see what it shows up
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
Civil War Man
NERRRRRDS!!!
Posts: 3790
Joined: 2005-01-28 03:54am

Re: cryptolocker

Post by Civil War Man »

I find Malwarebytes is pretty effective at rooting out a lot of infected files that some other scanners might miss, so it wouldn't hurt to scan your computer with it to make sure everything is cleaned out.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Restoring files now. Unfortunately recuva just finds the file, but not their folder. Windows 10 then sucks for searching for files or folders, because it keeps on suggesting I look online. Anyone know how to get it just to search files or folders.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
User avatar
mr friendly guy
The Doctor
Posts: 11235
Joined: 2004-12-12 10:55pm
Location: In a 1960s police telephone box somewhere in Australia

Re: cryptolocker

Post by mr friendly guy »

Its going to be a long haul restoring the files. However made some interesting discoveries about this ransomware.

There are certain files it won't encrypt. Old .htm files are left alone. Also .png files are untouched. Currently have got back most of the video files which take up the most memory, and useful pdf files from news etc. Important documents like my CV is recovered as well, as well as excel files which I use to keep track of rent, interest, bank accounts etc. So the important things have been recovered.

Thanks to all who helped. It looks like I am going to fork out a few hundred for another 8 TB hard drive, which I will keep separate from the desktop for safety. Its just pure luck that the ransomware attack occurred as I was upgraded my external hard drive.
Never apologise for being a geek, because they won't apologise to you for being an arsehole. John Barrowman - 22 June 2014 Perth Supernova.

Countries I have been to - 14.
Australia, Canada, China, Colombia, Denmark, Ecuador, Finland, Germany, Malaysia, Netherlands, Norway, Singapore, Sweden, USA.
Always on the lookout for more nice places to visit.
Post Reply