New CTB-Locker campaign underway increased ransom timer and localization changes

Hate hearing stories like this.

Never give up ! We are trying our hardest and I know the authorities are too to get your stuff back.

Make sure you backup your encrypted data in the event that a method comes out.

One of our clients got hit with this.  I got called in toward the end to help with the cleanup.  The odd thing is, it only targeted .DOC and .TXT files.  DOCX, Excel, PDF, images, etc were all untouched, even in the same directory.  Since I wasn't involved at the beginning I don't know if the virus was simply stopped before it could get to other types of files.

Hi,

I fell prey to this software. After I paid the ransom of 8 bitcoins (!!! - some US$ 1,800) this morning I received a decryption code - and now all is back to "normal" (I had the system checked by an expert - I hope he cleaned my computer !!

However - I made sure to store all information, codes and various screen shots. And would be willing t o make them available - if required. Please let me know...

I too just got hit with this. Lost all .doc and photos, which are the most important thing to me. Have removed the malware, but files are still encrypted. System/file restore did not work, photorec didn't work, malware removed/corrupted all previous versions of files and no shadow copies. I have moved all encrypted files to a hard drive storage device and hope there will be a way to decrypt them.

I went to the ransomware info website and it let me decrypt one file for free successfully. Anyone have luck with actually paying the bit coin ransome and getting most/all files restored? I hate to pay, but if I really will get my precious files back, it will be worth it to me. And it's been just about 72 hrs, will my files really be unable to decrypted if I don't pay up by then?

I would love any info or help!

From what I have read, if you pay the ransom, you can get your files back.  I've had no personal experience with this virus, and in my work, those accounts that have been hit just restored from backup.  No one has paid any ransom in my work experience.

If someone is intrested, I can provide n. 2 .scr file who infected 2 pc of my clients, and relative 2 crypted and original txt file.

 

Let me know.

 

Thx Cabreo.

Hi - as stated above: I fell pray to this software (really my own stupidity - they really had 2 warnings embedded in the zip-file!!!)

And - yes - I paid the 8 bitcoins asked for.

And could immediately restore all my encrypted files.

However - only the future will tell, if Mr. Ransomware hasn't hidden another Trojan somewherein my files ... :-)

 

Do we know where is the .scr file running from ?
Is it from %AppData%, %LocalAppData% ?

The scr file is included in the ZIP file attachment in the email you receive. If you open it directly from the attachment it may launch from %Temp% or the temporary internet files folder.

 

Would there be an impact of blocking .exe and .scr from running from the internet temporary folder. I'm thinking of adding the restriction to my GPO

i have sent a message about how this menace rocked my machine just yesterday and all my files encrypted.But yet to get a reply about it and what to do

Tried removing it using microsoft essentials, though the pop up has stopped, but not really sure of it has been completely removed. 

Anyone knows what can be done to test for complete removal?

and now that there seems to be no cure for this case, does that mean our files are gone? for those who don't have money to pay?

If you don't pay - no iles.

That what ransom is all about :-(

But - I paid... and it worked.

I think I read about the decryptioin key sometimes not working on larger files, more than 1 MB?  Any of you who paid have problems with some files not being decrypted?  I am seriously thinking about paying the ransom now since some of the files I lost are really important to me, but I want to make sure there's a possibility I'll get ALL my files back, not just the smaller ones.  Please let me know!

Timing is everything. I am one month out from buying a new computer and was about to post on here to get your thoughts on what security software you would recommend for Windows 8.1. I have no intention of paying the ransom, just on principle, could I just copy my files to a usb or burn them to a cd and just wait for a decryption method to become available? Officially I never got the ransom pop up, I was in the middle of removing some zero access rootkit garbage when this was just kind of sitting there. The files don't get deleted they just get "permanently" encrypted right? I lost nothing vital just years of my hobby, if I don't have access to my files for a few months or longer it really would not be a huge hassle.

 

It was mentioned that at present there are no free decryption methods, does this mean EAM, MBAM or another security service has decryption as part of the premium package? I was already planning on upgrading from the free version so I would consider this a bonus.

 

Also, I don't think I got this from email. I literally check my email once or twice a month for bills and anything I don't know 100% goes into the shredder.

 

Whenever I see things like this I think "this is why we can't have nice things" and chuckle to myself. Just smile and move on, it will all be ok.

Just cleaned up one of those things.  It flashed itself into the BIOS.  Isolation, boot to BIOS, reset to factory default settings, continue boot to SAFE mode and run a restore to the last update time.  The client was excited and I didn't think it woud be that easy.  Tougher on some laptops as the reset may be a jumper inside.

I'm now of the opinion that "kill it with fire" is the only option with these cryptoware threats.  Take the infected PC and return it to factory default.  I had spent most of a weekend trying to cure one, and I was never sure that it was clean. 

 

If you get hit with cryptoware, here is what you can do--

 

1. Have an excellent backup, current before the infection, and restore from that.

2. Pay the ransom.

3. See number 1.  Currently, there isn't a third option.

 

This will change email systems forever.  There will be two roads--

 

1. No attachments allowed, ever.  If you cannot put a form, or an image, or anything else in the body of an email, then you will not be allowed to send it.

2. Some multi-tiered system.  A person who wants to send you an attachment will have to generate a code of some kind.  He will then send the attachment.  You will first receive an email with the code, the name of the attachment, and the subject line of the email to follow.  When that email arrives, you will have to enter the code to unlock it from the server.  Before that, of course, it will be scanned to within an inch of its life and if there's anything odd, it'll be deleted until the sender can prove his attachment is safe. 

 

I don't see any other roads moving forward.  The cryptoware stuff is, for lack of a better term, far too effective.  Microsoft, Google, Yahoo et al are going to have to acknowledge this and adapt accordingly.

 

I tell all my clients this -- (and they laugh) --

 

The internet used to be like going to the Library of Congress, inside the British Museam, and the Louvre, inside the world's biggest shopping mall where all your friends are in the food court.

 

Now, it is like going to the bad part of town, late at night, when there's a police strike and most of the street lights are burnt out or almost ready to fail.

 

Once they get hit with something like the crytoware virus, they don't laugh much.

 

I truly feel for those of you who have been hit by this thing and have lost work.  I cannot imagine anything more terrible.  But reality is what it is.  And I am sorry for that.

Just cleaned up one of those things.  It flashed itself into the BIOS.  Isolation, boot to BIOS, reset to factory default settings, continue boot to SAFE mode and run a restore to the last update time.  The client was excited and I didn't think it woud be that easy.  Tougher on some laptops as the reset may be a jumper inside.

This infection does NOTHING to the bios. If anything was done to the bios, it sure wasn't from this infection.