New CTB-Locker campaign underway increased ransom timer and localization changes

Hi,

I fell prey to this software. After I paid the ransom of 8 bitcoins (!!! - some US$ 1,800) this morning I received a decryption code - and now all is back to "normal" (I had the system checked by an expert - I hope he cleaned my computer !!

However - I made sure to store all information, codes and various screen shots. And would be willing t o make them available - if required. Please let me know...

glad to hear you got back you info.

 

is there any chance I can get decrypter tool for testing purposes since I had a hole backup and data server encrypted since the 28th but we are still working for a solution.

 

 

regards

 

Will there become a unlocker avaibole for this one? It scares me if I lost all my data.

Unfortunately, not at this time. Unless we get access to the keys, nothing can be done.

How is the protection of it, for example with EAM?

Pretty good in fact. EAM and MBAM both detect the main installer. So if you had either installed you would not have been infected.

 

Hello there,

 

I've been infected with this virus and I must say this (my own experience):

 

- If you have expired the 96 hours, you can turn back the clock in windows and it becomes alive again.

- After that, I tried to decrypt the 5 files they offer and it worked.

- I've done all this with the network cable unplugged.

- I've copied the virus executable to another infected computer and it worked as well.

 

So, I wonder: if the virus did not need to connect to the internet to decrypt those 5 files, then the executable must have the code to decrypt them, in itself. 

 

And so I think that working from here, one could extract the key or the algorithm, by reverse engineering the virus executable. Is this crazy?

Well, my files are all encrypted and I'll do anything to recover them, except paying the ransom.

 

Hope this enlights anybody out there to get to the solution.

 

Thank you.

Another victim here

 

Lost evrything, all docs and pics, pdf, even outlook pst file got infected

 

 

Is anybody working on the solution? Could there be a decrypter like for cryptolocker?

I'm willing to share my files to help fight this malware.

Edited by MisterNo007, 05 February 2015 - 01:56 PM.

So I paid the ransom, 3 bit coins (after trying for two weeks to decrypt the files) and they basically just linked me to download a CTB-unlocker.exe file which opened up the decryptor tool and I was given my decryption key. Every file that was encrypted was successfully decrypted.

Really did not want to pay but the files I could have lost were too important. Expensive lesson to learn, but lesson learned. I'm just shocked that the virus was able to encrypt files on my external hard drive. Thought I was safe always having it attached and backing up my computer, but no more. Will only just connect it when I do backups and disconnect right after.

This virus has been made during the 10 years the company file is missing, wrong I currently do not have a backup. I know until now there is no decryption can open, I hope in the near future someone can make the decryption, I am very grateful. May God help me! Sorry, I use Google Translate (I am from Indonesia)

3 Bitcoins?? Lucky you - I had to pay 8 bitcoins!!! 3 weeks ago...

 

guys, I have a problem. Мy computer have more encrypted files.

I want to create a solution. I want to create, a decryptor for all.

For this I have need of a sample program decryptor.

Everyone who has a decryptor please send it to me on the email sergey@likhenko.org.ua

 

maybe it will help all

 

 

What would somebody sending you a decrypter for a different ransomware do for you?  Nothing.

 

Nobody can make a decryption utility because of the sophistication of this ransomware.  It uses ECC, communicates directly with TOR, and no flaws have been discovered that would allow for an easy crack.  At least not yet.

 

Sharing any more encrypted files is not going to help.

Hello everybody!

We had have encrypt files while totally offline ... which under our understanding means key is within the binary file and we have retrieved some probably private keys... Which we will use with a decryptor sent by some fellow who paid ransom bitcoins...

I will post my results as soon as we test everything.

I believe recursive engineering is the right path but could take long time!!!

Edited by estagugo, 12 February 2015 - 09:16 PM.

Hello everybody!

We had have encrypt files while totally offline ... which under our understanding means key is within the binary file and we have retrieved some probably private keys... Which we will use with a decryptor sent by some fellow who paid ransom bitcoins...

I will post my results as soon as we test everything.

I believe recursive engineering is the right path but could take long time!!!

 

CTB-Locker has only been reported to be infecting devices either via drive-by download or e-mail with malicious attachment.  Meaning you'd need to be connected to the Internet to get infected, at least at some point.  After it executes, if your files have been manipulated, then the key exchange already took place and is likely stored in memory within the process it injects itself into anyway.

 

Although, launching certain ransomware variants offline and noticing an infection whether or not it is believed to require communication with its C&C server to exchange the private key isn't necessarily odd.  Most variants (utilizing asymmetric encryption [RSA-2048 for example]) will utilize the public keys for encrypting the data within the files, and transmit the private key to the remote server.  I doubt that a sophisticated variant of malware such as the latest version of CTB-Locker stores private keys within a binary file on the local device, let alone any files on the infected file system.  That's highly unlikely; rather, receiving the private key is more likely (which is not saying much due to the extremely tedious nature of the work required to even attempt this) through live analysis beginning prior to the initial launch, while monitoring and dumping memory from processes that it spawns [and injects itself into].

 

It's also not unreasonable to believe that some ransomware variants that leverage symmetric encryption algorithms will encrypt the data within the files with the symmetric algorithm (e.g. AES-256) for speed purposes, while actually encrypting the symmetric key itself with utilizing an asymmetric algorithm to prevent its retrieval.  Then sending the private key to the remote server while never storing it on the file system, but rather in memory, which we know is quite volatile.

 

I feel that if you're infected while offline that the private key will either be lost due to the fragile nature of memory, or the lack of an Internet connection would prevent it from being stored on the remote server, meaning that it's completely lost and you're pretty much out of luck.

 

How do you think you got infected?  Are you even positive that you were infected with CTB-Locker rather than some other malware or type of ransomware?

So srry to hear...

stupid malware you stole my life too!

thank you Mike,

I have the binary files and I was able to infect a sandbox for testing purposes. It generated a different extension files and presented everything normal (as the variant works at least according all I have read) even while offline.

I could try to use the free demo decrypt after the infection... But I think will not be a clear result since in that moment could send PK to server... Now if you have analyzed encrypted data you will find that first 144 Chrs of Public Key are the same for each folder and only last 24 Chrs chances: what do you think about that?
Did not got your suggestion for his problem and I would like to know what you are doing ... if I may.

Maybe together could find something ...

Regards

Hello everybody!

We had have encrypt files while totally offline ... which under our understanding means key is within the binary file and we have retrieved some probably private keys... Which we will use with a decryptor sent by some fellow who paid ransom bitcoins...

I will post my results as soon as we test everything.

I believe recursive engineering is the right path but could take long time!!!

 
CTB-Locker has only been reported to be infecting devices either via drive-by download or e-mail with malicious attachment.  Meaning you'd need to be connected to the Internet to get infected, at least at some point.  After it executes, if your files have been manipulated, then the key exchange already took place and is likely stored in memory within the process it injects itself into anyway.
 
Although, launching certain ransomware variants offline and noticing an infection whether or not it is believed to require communication with its C&C server to exchange the private key isn't necessarily odd.  Most variants (utilizing asymmetric encryption [RSA-2048 for example]) will utilize the public keys for encrypting the data within the files, and transmit the private key to the remote server.  I doubt that a sophisticated variant of malware such as the latest version of CTB-Locker stores private keys within a binary file on the local device, let alone any files on the infected file system.  That's highly unlikely; rather, receiving the private key is more likely (which is not saying much due to the extremely tedious nature of the work required to even attempt this) through live analysis beginning prior to the initial launch, while monitoring and dumping memory from processes that it spawns [and injects itself into].
 
It's also not unreasonable to believe that some ransomware variants that leverage symmetric encryption algorithms will encrypt the data within the files with the symmetric algorithm (e.g. AES-256) for speed purposes, while actually encrypting the symmetric key itself with utilizing an asymmetric algorithm to prevent its retrieval.  Then sending the private key to the remote server while never storing it on the file system, but rather in memory, which we know is quite volatile.
 
I feel that if you're infected while offline that the private key will either be lost due to the fragile nature of memory, or the lack of an Internet connection would prevent it from being stored on the remote server, meaning that it's completely lost and you're pretty much out of luck.
 
How do you think you got infected?  Are you even positive that you were infected with CTB-Locker rather than some other malware or type of ransomware?

Edited by estagugo, 17 February 2015 - 04:57 PM.

Hi, my friend pc have been infected by CTB locker and he refused to pay the ransom, so if there are no decryption tool available till now, and from what i read the private keys is saved on the C&C server.

So, can we trace back that server ? and if it also impossible to trace, could we use the free offer of decrypting 2 files or 5 files to monitor or steal the private key from the server.

And sorry i have a last question, Are there any person or group working on building a tool or program to decrypt the encrypted files yet ?

An a client have give to me notebook infected with this but have different extension of file the virus have cript the file and have generated 2 file with the same screen one have .gif extension and other .txt with istruction to decrypt and 3 codes to give in the site of hacker to decrypt . All files have changed to example.pdf to example.pdf.ortslpe and crypted.

Have attack files with doc docx txt js jpg pdf in this computer and in dropbox container have remaining the same the gif bmp png and dont known if attack openoffice extension files because dont have. If i open the two files "how to decrypt .ortslpe files" appear the same screen this computer ... ctb-locker any person have other information to this variant?

Thanks ProblemiComputer Italy