TorrentLocker changes it's name to Crypt0L0cker and bypasses U.S. computers

any news?

We've been hit with this variant in an email posing as coming from Australia Post, it was contained in a zip file. Malwarebytes identified it as trojan.zbot.MAI and/or trojan.MSIL.

 

I will upload one of the encrypted files for anyone working on this.

 

I presume no one has managed to decrypt having read the thread above?

Please help

I have been done by cryptol0cker too. Aus post variant. I beleive I have removed the virus but need to get my encrypted files back

Can anyone give me advice on how to do this or should I give up ?

Cant beleive it. So devistated.

Crypt0L0cker typically deletes all Shadow Volume Copies so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do since it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.

At this time there is no fix tool and no known way to decrypt your files. The best solution for dealing with encrypted data is to restore from backups or attempt to use file recovery software such as R-Studio or Photorec to recover some of your original files. The only other alternative is to save your data as is and wait for possible updates...meaning, what seems like an impossibility at the moment (decryption of your data) there is always hope someday there may be a breakthrough or possible solution so save the encrypted data and wait until that time.

Got a client that's been hit by the Australia Post variant on 23 July. Got their business files and backup hard drive. Files in Dropbox could be recovered, but unfortunately they had moved the vital ones to the accounting program's default location - a folder in the root level of the C drive (why do software manufacturers do that?).

 

Question is - is it worth paying A$640 to unlock them or has that been found not to work? Only got a few days to decide, then buy Bitcoins (boy, Bitcoin, that's an answer to a crooks prayer isn't it?).

Edited by wfdTamar, 26 July 2015 - 08:37 AM.

DO NOT PAY RANSOM. I am a victim,  I have paid the ranson and it did not work. I have also sent several emails to the authors and there was no response from them...

 

So my advise is not to pay any ransom.

 

Regards

 

Edward

Question is - is it worth paying A$640 to unlock them or has that been found not to work? Only got a few days to decide then but Bitcoins (boy, Bitcoin, that's an answer to a crooks prayer isn't it?).

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. The more people pay the ransom, the more the attackers are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

With that said...We understand some folks may feel they have no other alternative but to pay the ransom in hopes of recovering irreplaceable photos and other personal or important data. That is your choice and a decision you will have to make. We will not make any judgments for doing so.

• CyptoLocker-style File Encryptors Should you pay the ransom?

Yes, it's very like the 'do we pay the hostage ransom' conundrum faced by families or governments isn't it? Easy to take the high ground if it's not your family member/data. 

Edited by wfdTamar, 26 July 2015 - 09:04 AM.

Well some luck. Seems the antivirus (Avast and Malwarebytes Pro) software may have stopped it before it did a complete job on the computer. Ran Shadow Explorer and recovered all personal files and 2 of 3 business records. I only got 2 hours sleep last night worrying about my clients data.

Seems the antivirus (Avast and Malwarebytes Pro) software

Careful there, avast! is an Antivirus program, while Malwarebytes is an Antimalware

Yes, it's very like the 'do we pay the hostage ransom' conundrum faced by families or governments isn't it? Easy to take the high ground if it's not your family member/data.

I know that if I would be hit I wouldn't pay the ransom anyway. Yes I have data that is quite valuable, but it's all backed up somewhere else and even if it wasn't, paying the ransom would only encourage the crooks behind it and morally speaking, I wouldn't be able to do it.

C'mon now - I know enough to get on here. Do you really think I don't know that? The clue is in the rather obvious name - Malwarebytes!  :-)

I was infected by Crypt0L0cker on Saturday in an email claiming to be from Australia Post. After trying all I could over the last couple of days I downloaded and ran Shadow Explorer this morning and recovered all my files. I hope Shadow Explorer will help others.

That is why I said....

...it never hurts to try in case the infection did not do what it was supposed to do since it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.

Advice to victims of Crypt0l0cker.

 

DO NOTpay the ransom. We paid (very comlicated), and recieved a link to the decryption key. I managed to download the key, so far so good. However, the programme did not run on mycomputer (software not compatible with Windows 7). I tried to contact the criminals (using the email adress given in their message), but their email adress was invalid.

 

THE SOLUTION: decryptolocker.it

Alessandro immediately replied on my email. After sending him two encrypted files, he returned a decryption key after just one hour. When I got problems to download the decryption key, he kindly assisted me until it all worked.

ALL my files were recovered, including valuable pictures.

He did not require a fee, just asked for a voluntarily donation.

Hello everybody.

 

I have been conducting some research as I have been asked to solve this problem to a friend of mine.

He has his encrypted files... and is trying to retrieve them. My research has lead me to point the following as inconclusive:

 

- Whether or not I'll recover his files by paying the ransom. 

 

It has lead me to some conclusions too:

 

- If the infection has been made on a normal user account, without administrative rights, it is probable you'll recover most information using Shadow explorer. If the account has administrative privileges the ransomware will erase shadow copies thus making them irreplaceble.

- When Crypt0L0cker encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this we're able to use file recovery software such as Recuva or Stelar Data Recovery to at least try to recover some of the files.

- If we have backups, it's now the time to put them to good use. 

 

Okay, this is it. Still I have been wondering... Is it possible to get the key, if I have the same file encrypted and an unencrypted copy? What if I have a copy somewhere, or manage to get a file throught Recuva or something? Is this an feasible approach?

 

Thanking for a quick answer,

Wisestag