Got hit by Ransomware :-(

[steelepulse]

On a tangent, here's an interesting article about how personal computers can get infected and how these guys running botnets are making millions. This cost the ad industry an estimated 6.3 billion.

>>According to a study by the fraud-fighting firm White Ops and the Association of National Advertisers, $6.3 billion will be lost to ad fraud in 2015.

http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/

[Chicog]

I have a computer infected with encrpt0l0cker the o's are 0 zeros, Tried restore but denied, sent encrypted files to Foxit and FireEye also treid http://www.zdnet.com/free-service-gives-decryption-keys-to cryptolocker

But no success. Any help or advice greatly appreciated

Did you look at the first link in Post #4?

Also, where did you see this name? There is not a mention of it on Google as far as I can see.

Have you tried scanning with a different scanner to see if you can get another name for it?

You can download and burn some bootable ones here and make a bootable USB drive with Rufus.

Edited May 26, 2015 by Chicog

[RigPig]

Thanks every one for your links and comments.

Looks like this "Locker" is the latest in a long line of Ransomware flooding the Internet. Seems every version acts differently and not all affect their target the same way.

Some, after a long complicated effort seem to have had limited success in restoring a few files but in the main there seems no way to get back your files.

No one seems to know how a computer gets infected with this and as this one was set to lie dormant till midnight a couple of days ago it could have been lurking in the background for days or even weeks.

Getting rid of this "Locker" does not seem to difficult by using ESET Smart Security but I wonder if it is really gone or still lurking ready to have another go once I restore my files.

The big worry is how can it be stopped from infecting my computer again? No body knows how it arrived and as each version is slightly different how can any anti virus program stop it.?

"BuaBS" Don't know TrueCrypt files. I did notice that files inside a BackUp folder that was connected were not affected so it does seem the virus doesn't look too deeply.

I don't think size of movie files has anything to do with the encryption because even small DashCam clips were not affected. It just seems to affect certain file types, but this seems to change in different situations. My PDF files were not encrypted but seems others were.

Yes all drives, as I said I have 4 physical drives connected in the computer tower and they were all hit. Any connected drives including external drives seem to be vulnerable.

Keep your important stuff on drives not connected to the computer.

Just curious have you installed eamextreme minecraft 1.8.1 lately?

As long as you don´t re-install the locker too.....

Ifyoudid install eamextreme minecraft 1.8.1, I would restore before that date.......

[csabo]

I beat ransomware on a friends laptop with Kaspersky. It was not an extraction for a novice and took more than one try but Kaspersky beat it. Oh, and it was all freeware. Good luck.

[manarak]

another demonstration of the need for a firewall on manual settings + behavioral protection in addition of a traditional anti-virus

[manarak]

Thanks every one for your links and comments.

Looks like this "Locker" is the latest in a long line of Ransomware flooding the Internet. Seems every version acts differently and not all affect their target the same way.

Some, after a long complicated effort seem to have had limited success in restoring a few files but in the main there seems no way to get back your files.

No one seems to know how a computer gets infected with this and as this one was set to lie dormant till midnight a couple of days ago it could have been lurking in the background for days or even weeks.

Getting rid of this "Locker" does not seem to difficult by using ESET Smart Security but I wonder if it is really gone or still lurking ready to have another go once I restore my files.

The big worry is how can it be stopped from infecting my computer again? No body knows how it arrived and as each version is slightly different how can any anti virus program stop it.?

"BuaBS" Don't know TrueCrypt files. I did notice that files inside a BackUp folder that was connected were not affected so it does seem the virus doesn't look too deeply.

I don't think size of movie files has anything to do with the encryption because even small DashCam clips were not affected. It just seems to affect certain file types, but this seems to change in different situations. My PDF files were not encrypted but seems others were.

Yes all drives, as I said I have 4 physical drives connected in the computer tower and they were all hit. Any connected drives including external drives seem to be vulnerable.

Keep your important stuff on drives not connected to the computer.

Just curious have you installed eamextreme minecraft 1.8.1 lately?

As long as you don´t re-install the locker too.....

Ifyoudid install eamextreme minecraft 1.8.1, I would restore before that date.......

teamextreme minecraft contains viruses.

[manarak]

Thanks every one for your links and comments.

Looks like this "Locker" is the latest in a long line of Ransomware flooding the Internet. Seems every version acts differently and not all affect their target the same way.

Some, after a long complicated effort seem to have had limited success in restoring a few files but in the main there seems no way to get back your files.

No one seems to know how a computer gets infected with this and as this one was set to lie dormant till midnight a couple of days ago it could have been lurking in the background for days or even weeks.

Getting rid of this "Locker" does not seem to difficult by using ESET Smart Security but I wonder if it is really gone or still lurking ready to have another go once I restore my files.

The big worry is how can it be stopped from infecting my computer again? No body knows how it arrived and as each version is slightly different how can any anti virus program stop it.?

"BuaBS" Don't know TrueCrypt files. I did notice that files inside a BackUp folder that was connected were not affected so it does seem the virus doesn't look too deeply.

I don't think size of movie files has anything to do with the encryption because even small DashCam clips were not affected. It just seems to affect certain file types, but this seems to change in different situations. My PDF files were not encrypted but seems others were.

Yes all drives, as I said I have 4 physical drives connected in the computer tower and they were all hit. Any connected drives including external drives seem to be vulnerable.

Keep your important stuff on drives not connected to the computer.

to protect your computer, especially if you are downloding files from untrusted sources, use a behavioral shield and a firewall, both on manual settings asking for your permission for every unexpected software action. I use Comodo, firewall on "custom" settings and defense+ (=behavioral shield) on "paranoid".

Nothing ever came through, shady files show their true colors when they ask for a DNS or internet connection...

Configuration of the software as well as investigation of suspect software actions can take some time though.

Edited May 26, 2015 by manarak

[MauiSteveBKK]

I HAVE BEEN INFECTED FOR 60 DAYS !!!!!!!

The Virus I got put a .ecc extension to every single photo and document I have.

I did not have a back-up.

I will be watching to see if someone has a solution. I have talked to many here in USA and

am continually told there is "No Solution".

I will not pay the ransom.

[manarak]

I HAVE BEEN INFECTED FOR 60 DAYS !!!!!!!

The Virus I got put a .ecc extension to every single photo and document I have.

I did not have a back-up.

I will be watching to see if someone has a solution. I have talked to many here in USA and

am continually told there is "No Solution".

I will not pay the ransom.

It's the same as with a motorcycle helmet. The solution has to be applied before the problem.

[Jiu-Jitsu]

I HAVE BEEN INFECTED FOR 60 DAYS !!!!!!!

The Virus I got put a .ecc extension to every single photo and document I have.

I did not have a back-up.

I will be watching to see if someone has a solution. I have talked to many here in USA and

am continually told there is "No Solution".

I will not pay the ransom.

Have you tried utilising the Talos TeslaCrypt Decryption Tool?

The TeslaDecoder?

Some files here. I haven't tested them. You can ignore the anti-malware link.

[technologybytes]

Surely you can just restore these files from your most recent backup.

Unless I am missing something here they cannot be important files, nobody with half a brain would leave important files on a windows computer without at least one secure backup.

Edited May 27, 2015 by technologybytes

[slerickson]

I dealt with that on one clients PC. Had to format and restore. Nasty bug.

[Daffy D]

Going back to an earlier poster - I did the Regedit check and that was OK, possibly because I had already deleated "Locker"

Tried the "TeslaCrypt Decryption Tool" which found nothing, probably because this thing has so many variations it's imposible to keep up with it.

Shadow copies did not help either - file to large error message.

Minecraft - Yes I insalled it recently for the kids. Reading through other sites there does seem to be a general opinion that Minecraft is a culprit, though not everyone who got the Virus has Minecraft so there are obviously others sources.

As mentiond in an earlier post I have 4 internal drives and my weekly back-up on one of them and though files on that disk are affected looks like the files within the back-up folder are alright.

Problem is because this virus was on a time delay I don't know when when the infection happens so how far back in time would I have to go to be certain that I am not just reloading it again.

Apart from the backups on the internal drives I have an extra copy of everything on an 4Tb external drive so personal I've not actually lost anything, except a lot of time, just a matter of sorting out my system to ensure it is clean before restoring everything.

[kennw]

Unfortunately "restore"cannot be used because the virus blocks access

[AlQaholic]

Wow! never heard of that virus until now.

I always have my computer on day and night, I use Windows firewall, frequently updated antivirus with included additional firewall that screens all my mail as well, Adblocker etc. I frequently get messages from the anitvirus that it has contained and eliminated threats so I know it is working. In addition to that my wireless router has built in antivirus protection and the Service Provider 3BB also has antivirus on their servers. I find it difficult to understand how that virus could get through .

[DLang]

To every poster:

Buy an External HDD drive.

Copy all your docs, photos, movies, videos, music etc. onto it.

Every month/2 weeks/whatever time span, copy whatever you've done in that time onto it (update it).

[edgarfriendly]

- In the end ESET Smart Security got rid of it. http://www.eset.com/int/.

- This Ransomware type of virus is VERY nasty and there is NO WAY of getting your locked files back.

one of these statements MUST be false...

I smell manure!

[DLang]

- In the end ESET Smart Security got rid of it. http://www.eset.com/int/.

- This Ransomware type of virus is VERY nasty and there is NO WAY of getting your locked files back.

one of these statements MUST be false...

I smell manure!

Haha, actually not.

Perhaps it got the Ransomware off the machine, but the files that were locked by cannot be unlocked.

[Chicog]

I can only suggest that you read the links in post #4, which includes some tools that may help recover from such an attack.

Note that you should copy all the affected files somewhere else before attempting to decrypt them in case it goes wrong, so you still have something to work with if it does.

They also mention a free version of a tool here that can mitigate some of the risk.

https://www.foolishit.com/cryptoprevent-malware-prevention/

I installed it with the highest level of protection and it hasn't had any adverse effects.

It makes a few changes to Windows security policy, so backup your registry first.

[bobbin]

I installed Malwarebytes Anti-Exploits a.couple of weeks ago. Protection for all browsers on my computer.

Does it help against these ransomware attacks?

Malwarebytes are a little vague as to what exactly the "exploits" might be....

[IMHO]

This ransomware is normally spread using email attachments - so have a thorough review of all emails you've received within the last couple months for suspicious attachments, or else you might just find yourself infected all over again...

For Windows users there are a few things you can od to help mitigate the damage:

Perform regular backups as the OP did, but instead of placing them on removable drives, place them onto password secured network shares.

Backup your important docs and photos to the cloud (!) Between MS Azure, Amazon AWS's S3 and Google Drive, there's plenty of free cloud storage at your disposal, and there's also plenty of free & low cost apps you can install to automate the process. Some of them, like this http://www.cloudberrylab.com/cloudberry-box.aspx even have the ability for you to sync files between geographically separate machines via the cloud.

Of course, I also have to add that you can avoid all of this by using a Mac and Time Machine/iCloud

Great idea until your cloud providers is hacked.

If Azure, AWS S3, iCloud or Google get hacked, I think the attackers will have a lot more interesting things to look at than my happy snaps, LOL.

Edited May 27, 2015 by IMHO

[Chicog]

I installed Malwarebytes Anti-Exploits a.couple of weeks ago. Protection for all browsers on my computer.

Does it help against these ransomware attacks?

Malwarebytes are a little vague as to what exactly the "exploits" might be....

I'd say it may mitigate some of the risk, but I'm not about to test it.

[Eaglekott]

Backup your important docs and photos to the cloud (!) Between MS Azure, Amazon AWS's S3 and Google Drive, there's plenty of free cloud storage at your disposal, and there's also plenty of free & low cost apps you can install to automate the process. Some of them, like this http://www.cloudberr...dberry-box.aspx even have the ability for you to sync files between geographically separate machines via the cloud.

A vise man said: "Is free free? If you do not have pay for the service you are their source if income instead of their customer."

[Eaglekott]

To every poster:

Buy an External HDD drive.

Copy all your docs, photos, movies, videos, music etc. onto it.

Every month/2 weeks/whatever time span, copy whatever you've done in that time onto it (update it).

Unfortunate this is not a proper way to backup. Even though it gives som level of security. Here is some reasons why:

1. If your computer is infested with bad code, it can spread to your external drive when you connect it.
2. You loose the data from when you last time copied the data.
3. People tend to extend the time they remember to do the copy longer and longer, and soon they forget about it totally.
4. If you have corrupted file on your computer there is a risk that you overwrite the non corrupted version on your drive.
5. I does not protect you in case of a disaster like if your house burns down, or a thief steals your computer and the drive.
6. External disks do break. and there is a small chance that if your computer breaks, you can not recover the data from your external dive.

Backup should be totally automatic, continuous and invisible to the user. Install and forget until you need to recover. Data should be sent to remote locations, and preferable more than one. Data should be encrypted so the remote destination can not access your data. Backup should keep versions of files, like if you create a presentation, you should be able to revert to a previous version if it turns out bad after some work.

If you have internet connection through CAT ON NET I can recommend you to use their Backup. 29 Baht/month including 20GB data. http://irisbackup.cattelecom.com

Guess you can use it even if you don't use internet from CAT but will probably be more expensive.

[kennw]

The following explains in simple manner how to get rid of the ransomware virus "crypt0L0cker", used it myself and it works.(PC running windows) But I could not recover my encrypted files. Others may have better luck if the virus missed infecting the shadow files in windows restore. But note, everything I have read elsewhere says this is a very nasty virus and without paying you cannot recover your files.

Step 1. google "remove crypt0L0cker" click on "malwaretips.com/blogs/remove-crypt0L0cker -virus (its free)

Follow the easy step by step process, when finished run a second time to confirm.

Step 2. google and download "Hitmanpro" run as instructed, this will clean out any remaining hidden malware files. (I had 4)

Step 3 Try running "restore" to see if any shadow files escaped infection.

Best of luck.

[Daffy D]

"edgarfriendly" Apologies if my phrasing alerted your sensitive nose.

As "DLang" rightly says "got the Ransomware off the machine, but the files were still locked"

"bobbin" I have the free version Malwarebytes but don't have it active in real time only use it as one of programs for weekly cleanup. When I got the Ransomware virus I ran Malwarebytes but it failed to see it.

I also tried Super Antispyware but that did not see the virus either, so after some Googling used ESET which did remove the virus but still left the files locked.

There are probably other products out there that would remove the Ransomware but the free 30 day trial of ESET worked for me.

To be clear removing the Ransomware Virus from your computer will NOT unlock your files. They will still be locked

[Pib]

Here's what Symantec/Norton says regarding trying to recover from ramsonware.

http://www.symantec.com/connect/forums/there-fixtool-recover-files-encrypted-ransomware

[Chicog]

For the third time, I posted a link to a Ransomware Response kit in Post #4.

If people bothered to read....

# Ransomware Response Kit

## Instructions

You should never pay the ransom. This will only reinforce this type of attack. According to most security intelligence reports, criminal enterprises are already making large profits from ransomware.

>In case of infection:

- Remove the impacted system from the network

- Attempt to identify which variant of ransomware you are infected with.

- Before removing the threat, create a copy if possible for later analysis, which may be needed for decryption of files.

- If possible, use restore points or backups to return to a safe state after removing the threat.

- If you have identified the variant of ransomware and a decrypter tool is available for it in this kit, you can attempt to utilize it.

[hawker9000]

Most ransomware removes itself from the PC once the encryption process is complete, leaving behind mainly just the encrypted data files and the ransom information, but most notably NOT the encryption key that's going to be needed to decrypt your data files. This is why the only way to get your files back is going to be either by somehow obtaining the key, or by recovering them from copies that whichever which way managed to avoid the attack. Most AV and anti-malware tools aren't going to be able to do this. ... which is why this is so nasty.

[katana]

Several posters on the Bleeping Computer forum report paying the ransom and getting their files decrypted.