Hello dear friends,
I have a case that the clint computer get the Cryptobit virus or samular one.
The virus encrypt all porsenal files. the extention become ".CRY" (img_001.jpg.cry, word123.xls.cry and so..)
and for unlock thay ask to download to Tor browser and go to thare website to pay.

I try Kaspersky tools and anti-cryptobitV2, but no luck. It das noting.

i'll be glad if you can give me any tips on that case.
Thanks a lot.

Could try https://www.decryptcryptolocker.com/

From their website

"Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker.
This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.

Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system"


Hope this helps


Loki

Hi arik,
Not tried the link Loki kindly provided but if you haven't found it already, this forum topic goes some way to helping too.

viewtopic.php?f=1&t=28436

The method of encryption has a weak spot in that it only scrambles the first portion of the file.

Therefore some files seem to have more chance of extracting the original core content as the encrypted portion messes the "wrapper" and not the core content ie compressed office files such as .xlsx .docx .pdf etc.

Images like jpg don't seem to have much success, if any, as the first few bytes form part of the overall content. Maybe decryptolocker site could help if it actually decrypts rather than extracts core data from damaged file and reconstructs.

good luck anyways...
K

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

Hi Loki, thanks for your replay,
I have try this but this is the message i get:"The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."
i try 10 different files, all the same.



Hi, Thanks for your replay,
most of the impotent files are JPG, and if i compere original files to encrypted file using HEX i can see that all the file has encrypted\corrupted and not the first 512b..
Here are two of the files that the client give us, as the client sad, one is original from different source:, and the secend one is infected:

What OS was it running on the hdd?

Could you try previous versions or shadow explorer? http://www.shadowexplorer.com/downloads.html
If you can boot to the OS on the hdd what about System restore?

Do you have a image of the drive as a backup? you should just in case something goes wrong

Also http://download.bleepingcomputer.com/cr ... rBitV2.zip might be of help, might recover some files?

Loki

Looks like it could be using cryptola http://www.ravib.com/cryptola/

Loki

not that it matters but both zip files seem to contain the same corrupt file.

following Loki's info, i grabbed a copy of Cryptola.

In operation it encrypts the original and makes a copy which it renames as the original but with the .cry extension ie photo1.jpg.cry

it therefore looks like it encrypts and duplicates but doesn't delete the original by default.
Maybe the malware deleted but didn't securely wipe the originals.

If that is the case it could be worth doing a data recovery cycle on the drive, and file carving too, to see if the originals have simply been deleted after the encryption: much easier to get a successful outcome if so.

Would agree with loki that, as always, its worth taking a full drive image and working on that rather than messing with the original.

K

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!