Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Decryption keys are now freely available for victims of CryptoLocker


  • Please log in to reply
217 replies to this topic

#16 Sirawit

Sirawit

    Bleepin' Brony


  •  Avatar image
  • Malware Response Team
  • 4,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:11:25 AM

Posted 08 August 2014 - 09:35 AM

Great news! I will ask my user to try this one out. :)

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


BC AdBot (Login to Remove)

 


#17 CryptoSuxx

CryptoSuxx

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 10 August 2014 - 02:07 PM

Well, I can say it Does work. I had a friend that had about 19 gig's of data locked up and we decrypted all of it. I would like to pass on my THANK YOU'S to everyone that has worked on this and keeping us all informed... Great Work to all !!  



#18 TechGuySolutions

TechGuySolutions

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 August 2014 - 11:31 AM

We had a client send us about 10 encrypted word files and I was able to successfully get this to work. It was very easy to use. The one thing I did have to do is run cmd prompt as admin and it worked. The only bad thing I have found (unless I am missing something) is you cannot have any spaces in the file names??? For example I had a word doc that was named $10 Per Count and I had rename it to 10percount or it would say it was unsuccessful.

 

Now in my case i only had about 10 files so this was not an issue but I have had clients come in with gigs and gigs of data. I am not going to go through all these files and rename them. Am I missing something? Can you do an entire directory of files? I see absolutely no documentation on how to use the advanced features of this tool. Just my 2c :)



#19 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 16 August 2014 - 06:38 PM

Just popping in to repost what is in the cryptolocker thread already. As OP stated, the console application they hand out with your keys can be quite confusing. If anyone is uncomfortable using the CMD window, you can use a GUI version. I simply used the original python script to make this, which makes recursion alot easier, and fixes the space in filename error. 


CryptoUnlocker GUI
===============
 
 This is for anyone having issues with the command line version of the Cryptolocker decrypter. Its nothing special, just commands assigned to buttons with a few things i added that i thought may help (ability to not have encrypted .BAK files everywhere is one). For now its binary in binary, and if i see a performance reason to convert the python script into .net, i will.
 
Hope this helps victims who don't know their way around a command prompt window.
 

 

Tool Link:  CryptoUnlocker GUI 
 
VirusTotal Link: CryptoUnlocker GUI VT

 
 
Sample Image:
 
WJ8V9qL.png


Have you performed a routine backup today?

#20 peskywabbit

peskywabbit

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 08 September 2014 - 04:07 PM

Hello, I've registered with Bleeping Computer as I Googled "Fire-eye decrypter, does it work " and saw the link to here.  I was so excited to discover that there is a solution for Cryptolocker victims, I've lost lots of precious photos of my late mum, not to mention Word docs. etc.  The infected computer isn't used very often and we didn't even notice the infection until around a year 6 months after it happened, I know that's not an excuse and that I should have made backups,  Lesson learned the hard way :-( 

 

Anyway I tried uploading a file to the portal from the infected PC but I got a message saying there was a problem with the website's certificate.  I opened the webpage and selected a file to upload but nothing appeared to be happening.   Left it for ages with no sign of any progress.  Does anyone know if that is because of the certificate issue ?  The file was very small, just a Word doc which contained an address, nothing else.

 

Do you have to upload the file from the infected computer or can it be from any PC ?  I only ask because when I go to the portal on another PC, I don't get the message about the certificate.  

 

Sorry, that post's a bit rambling ! :-)

 

Thanks for any help anyone can give. 


Edited by peskywabbit, 09 September 2014 - 02:44 PM.


#21 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 08 September 2014 - 04:21 PM

It can be from any pc.

#22 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 08 September 2014 - 04:23 PM

peskywabbit,

 

Pleas ensure that your computers time and date are correct. If they are not this will cause a certification issue that will make the site work unproperly.

 

After ensuring that your time and date on your computer is right and the problem still persists, please take a moment to try a different browser such as FireFox or Chrome if you havent already.

 

Thanks.


Have you performed a routine backup today?

#23 peskywabbit

peskywabbit

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 08 September 2014 - 04:43 PM

Thanks for your answers, will give it another go tomorrow night.  I'll let you know if it works :-) x



#24 Cyberman_NI

Cyberman_NI

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 09 September 2014 - 02:07 PM

Hi guys I got a call after a women clicked on a email attachment and then realised she couldn't open some of her files. The strange thing is its not the normal Cryptolocker wallpaper virus it has actually renamed 6000 files with ".encrypted" as a second extension. The fire it site does not work with these files. I have searched all over but cannot find any information regarding what looks like a different strain of cryptolocker.

 

Any help would be greatly appreciated



#25 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 09 September 2014 - 02:10 PM

Hi guys I got a call after a women clicked on a email attachment and then realised she couldn't open some of her files. The strange thing is its not the normal Cryptolocker wallpaper virus it has actually renamed 6000 files with ".encrypted" as a second extension. The fire it site does not work with these files. I have searched all over but cannot find any information regarding what looks like a different strain of cryptolocker.

 

Any help would be greatly appreciated

 

You have been infected with this new variant:

New CryptoLocker copycat ransomware in the wild


Have you performed a routine backup today?

#26 Cyberman_NI

Cyberman_NI

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 09 September 2014 - 02:22 PM

Thanks for the fast response decrypterfixer, I take it there is no way free way of decrypting these files as yet? 



#27 Nathan

Nathan

    DecrypterFixer


  •  Avatar image
  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:25 AM

Posted 09 September 2014 - 02:27 PM

If anyone Has the CryptoLocker Variant with the .Encrypted File extension and is considering paying the infection, Please shoot me an Email at DecryptorBit@outlook.com first! There may be a few things to try and test before hand.

 

Thanks!


Have you performed a routine backup today?

#28 peskywabbit

peskywabbit

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 22 September 2014 - 02:25 PM

Hi guys, eventually got time to try the Fox IT scanner to decrypt my files and I get the message "The files does not seem to be infected by CryptoLockerPlease submit a CryptoLocker infected file" :scratchhead:



#29 lurkermihai

lurkermihai

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 28 September 2014 - 05:27 AM

Hello. I also got all my files encrypted, but with cryptolocker 2 (i think). The encrypted files have a .ctb2 extension added.

Does anyone know if there will also be a unencryption tool for this?

 

edit: www.decryptcryptolocker.com/  Say: The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file.

I have 1200+ photos encrypted as .ctb2, and i don't have this photos backed up anywere.. :(


Edited by lurkermihai, 28 September 2014 - 05:42 AM.


#30 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  •  Avatar image
  • Malware Response Instructor
  • 6,088 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:25 AM

Posted 28 September 2014 - 08:25 AM

Hi guys, eventually got time to try the Fox IT scanner to decrypt my files and I get the message "The files does not seem to be infected by CryptoLockerPlease submit a CryptoLocker infected file" :scratchhead:

Please download this file from here, extract the zip and then run IDTool.exe. Wait for the tool to load and then click the Generate Text Friendly Report for Forums button. Copy the content of the box that appears into your next reply.
 


Hello. I also got all my files encrypted, but with cryptolocker 2 (i think). The encrypted files have a .ctb2 extension added.
Does anyone know if there will also be a unencryption tool for this?
 
edit: www.decryptcryptolocker.com/  Say: The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file.
I have 1200+ photos encrypted as .ctb2, and i don't have this photos backed up anywere.. :(

You are infected with Critroni, there is no decrypter to get these files back as of yet.
 
xXToffeeXx~


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users