Cian
Well-known member
You did a test using a site that can crack an older version - it doesn't indicate anything about whether the criminals will decrypt it.
Got something to say or just want fewer pesky ads? Join us... 😊
Desperate help needed from PC experts
- Thread starter Wilko
- Start date
You did a test using a site that can crack an older version - it doesn't indicate anything about whether the criminals will decrypt it.
Firstly I'd disconnect that PC from the internet. The Cryptolocker/torrentlocker virus on there is probably not the only piece of malware that has been installed. I would definitely not do any online banking or log in to email accounts and if you have you'd want to change your passwords immediately (using a different PC).
How you got the virus - There could be a number of ways you got the virus but the most common are through malicious links or attachments in a phishing email (these can be very convincing) or hidden malicious code on a hacked/hijacked website.
The cryptolocker virus - Cryptolocker is a very successful and sophisticated piece of malware and because of that there are hundreds of variants and copycats. This is probably why your AV software did not detect it. A slight change in it's code or the way it behaves will mean it may avoid detection (at least for a few days but long enough to infect plenty of PC's). The really bad variant's encrypt all you office documents and send the key material used to do the encryption over the web to the command and control servers and leave no trace on the PC meaning that the only option to decrypt the documents is to pay up (I do not recommend this option!!!). Fortunately some of the copycats are not as sophisticated and can leave key material on your PC, are poorly coded and encryption is not properly implemented or weak encryption algorithms are used. There was one that I heard of that didn't actually encrypt anything it just changed the file extensions.
What can you do - The best defence is to have a backup that you can restore the files from. It doesn't look like this is an option in this case. Windows restore points won't help as this does not affect files and folders. What I recommend is to Google and find out as much as you can about the particular variant you have installed. If you post screenshots or the text from the decryption instructions on here that may help one of us find out. I found a few people with the same or similar virus (I haven't read them as I'm at work so the info may not be useful) :
http://www.bleepingcomputer.com/forums/t/569992/help-with-help-decrypt/
https://www.dropboxforum.com/hc/communities/public/questions/202081779-Are-my-files-being-hacked-
http://mybroadband.co.za/vb/showthr...-CryptoLocker-ransomware-virus-on-my-computer
Like other people have said decryptcryptolocker can be used, but malware writers will know about this site so will change the way files are encrypted to prevent this. The site may not work now for you but it may work in the future. It's weird that it says there is no encryption. I would have thought it would say that they are encrypted but can't decrypt them.
Unfortunately it doesn't look good for your files from what you have said already. I would also recommend like others have already that you do not pay the ransom. You may get your files back but who's to say they won't encrypt them again a week later. There will also be other malware installed on your machine to try and gather banking info, personal info, credit cards etc.
Hope this info is somewhat helpful.
How you got the virus - There could be a number of ways you got the virus but the most common are through malicious links or attachments in a phishing email (these can be very convincing) or hidden malicious code on a hacked/hijacked website.
The cryptolocker virus - Cryptolocker is a very successful and sophisticated piece of malware and because of that there are hundreds of variants and copycats. This is probably why your AV software did not detect it. A slight change in it's code or the way it behaves will mean it may avoid detection (at least for a few days but long enough to infect plenty of PC's). The really bad variant's encrypt all you office documents and send the key material used to do the encryption over the web to the command and control servers and leave no trace on the PC meaning that the only option to decrypt the documents is to pay up (I do not recommend this option!!!). Fortunately some of the copycats are not as sophisticated and can leave key material on your PC, are poorly coded and encryption is not properly implemented or weak encryption algorithms are used. There was one that I heard of that didn't actually encrypt anything it just changed the file extensions.
What can you do - The best defence is to have a backup that you can restore the files from. It doesn't look like this is an option in this case. Windows restore points won't help as this does not affect files and folders. What I recommend is to Google and find out as much as you can about the particular variant you have installed. If you post screenshots or the text from the decryption instructions on here that may help one of us find out. I found a few people with the same or similar virus (I haven't read them as I'm at work so the info may not be useful) :
http://www.bleepingcomputer.com/forums/t/569992/help-with-help-decrypt/
https://www.dropboxforum.com/hc/communities/public/questions/202081779-Are-my-files-being-hacked-
http://mybroadband.co.za/vb/showthr...-CryptoLocker-ransomware-virus-on-my-computer
Like other people have said decryptcryptolocker can be used, but malware writers will know about this site so will change the way files are encrypted to prevent this. The site may not work now for you but it may work in the future. It's weird that it says there is no encryption. I would have thought it would say that they are encrypted but can't decrypt them.
Unfortunately it doesn't look good for your files from what you have said already. I would also recommend like others have already that you do not pay the ransom. You may get your files back but who's to say they won't encrypt them again a week later. There will also be other malware installed on your machine to try and gather banking info, personal info, credit cards etc.
Hope this info is somewhat helpful.
Last edited:
GingerBeerMan
3-0
- Dec 29, 2011
- 8,037
Listen to Cian, he seems to know what he's talking about (and possibly the above post, I didn't read it). The link posted which is used to decrypt files encrypted with Cryptolocker only works with the set of encryption keys cryptolocker uses. If you have been infected by any of the other programs which encrypt files it won't work, as it uses a different set of keys. It seems you're ****ed, and you have to listen to post #27s advice (but don't take option 1).
I've never heard of this before and it's pretty scary (and quite clever). Another good reason to keep backups of your files.
I've never heard of this before and it's pretty scary (and quite clever). Another good reason to keep backups of your files.
- Thread starter
- #44
Thank you very much. I will send you a couple of files tomorrow when I am back at work. Really appreciate your help. Got to love a fellow Albion fan helping a brother out
Looks like it might be CryptoWall 3.0 from what I've read and it's quite active at the moment. Here's an article with a bit of info and how it's bundled with some extra Spyware: http://blog.trendmicro.com/trendlab...-3-0-ransomware-partners-with-fareit-spyware/
According to Nigel Farage the UK is a soft-touch for people in Africa with a virus. Why don't you hop on a plane to London and get it sorted here for free?
BensGrandad
New member
Help please
I installed Avast and then it said click on safe zone which I did now I cannot either remove it or access control panel to switch it off and I keep getting the Google aw snap come up. Google suggest turning antivirus for a short while to adjust settings but I cannot turn it off.
I installed Avast and then it said click on safe zone which I did now I cannot either remove it or access control panel to switch it off and I keep getting the Google aw snap come up. Google suggest turning antivirus for a short while to adjust settings but I cannot turn it off.