Solved

rans.crypto

Posted on 2014-03-12
29
394 Views
Last Modified: 2014-05-11
Help please
I have rans.crypto
i cant open my files says them are corrupt!!!
any help
tsm
edo
0
Comment
Question by:edo60
  • 10
  • 6
  • 6
  • +1
29 Comments
 

Author Comment

by:edo60
Comment Utility
please any advice in here
0
 

Author Comment

by:edo60
Comment Utility
is any way to recover the files damaged?
please!!
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
Comment Utility
Recovering encrypted files - no (unless you've left the malware running and pay the ransom)

If you don't have backups then they cannot be restored.

If you removed the trojan before the ransom message appeared then not all of your images/office data will have been encrypted.  Once the ransom message is displayed all the files that Crypto indexed have already been encrypted.

See also: http://www.experts-exchange.com/Security/Encryption/Q_28295419.html
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Follow the instruction in this link please.

http://www.bleepingcomputer.com/forums/t/518406/virus-or-ratroot-from-hell/

IF you face any issue, please post it here and we'll follow up with you.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
moh10ly - did you read that thread? - Their computer ended up being scrapped!

If you want the latest on Rans.Crypto/Cryptolocker the current knowledge base on it is here:
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Sorry I didn't notice that in the end! But I think it's obvious the asker will need to pay to get the files decrypted or get yours files encrypted forever and lose the key.
0
 

Author Comment

by:edo60
Comment Utility
Oh man, so bad News, the payment banner  do not display never?? So i do not have the payment option, i never saw something like that before.  
In the future you think is Google to be a solution?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
It's unlikely - the encryption keys are unique to each machine - preventing the infection is currently the only way - it's clever in that even though the files are being encrypted the trojan decrypts them when you want to access them so a lot of users don't realise they are affected until it completes the encryption of all the files it can index.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
I think you will need a very good decryption tool and a SUPER Computer to work on the decryption. as you may know the decryption process usually takes lot of time sometimes weeks, months or a year or even more depending on the encryption methods.

The NSA scandal about spying on governments had them to use super powerful computers that decreases the process of key decryption for the most complicated encryption algorithms.

Your problem lies on two main factors 1- time. 2- Resources.
If you have both you maybe able to solve it. otherwise I would say the only one would be the payment.

And I would just give a personal recommendation to use Linux OS as your personal Desktop. have been using it for 2 years now and i can say i'm very happy with it as an end user.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Using Linux is a good suggestion - my best suggestion (since once you have this it is virtually impossible to get rid unless you pay the ransom, recover your files then reformat the system) is backup with versioning.  Whether you use something like spideroak (spideroak.com), crashplan (crashplan.com) or dropbox - not as good - (dropbox.com), something is much better than nothing.  

We are piloting crashplan here and have already used it to recover from a nasty crypto infection - the versioning was the key.
0
 

Author Comment

by:edo60
Comment Utility
how can i be sure that i have no more that virus in my machine
is any tool for know that for sure?

tsm
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Nothing will guarantee it.  Use RogueKiller, then do not reboot and do a deep scan with MBAM.  

Your best bet is to use something like DBAN to wipe the system and then reinstall from scratch.
0
 

Author Comment

by:edo60
Comment Utility
please i need to contact this guy for payment
do any know how do that?
tsm
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
I believe they only take bitcoin.  Whatever you do, do NOT reveal any information that is personally identifiable, or fiscal information.  Make sure you are making a onetime payment and you should double check the security on your bitcoin account.

Normally you get the decrypt code fairly quickly once you pay (last I looked it was about $300.00).
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
If anyone knows him he'd be in prison long ago! I think all the payment info is anonymous and the owner of this virus knows well how to hide his identity.

I'm not sure what other experts think. this is my theory though.
0
 

Author Comment

by:edo60
Comment Utility
the virus go thru maped network drive?

in this moment i dont care about the machine even is a serious lost of data that do no have backup, but i want to know if is going thru my server by a mapping connection
tsm
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
If you have removed the trojan then you shouldn't see any additional network traffic as a result, however left to run unchecked Rans.Crypto.Win32 will continue to encrypt all files it has read/write access to even if they are remote from the affected machine.

The BleepingComputer link includes details on contacting the CryptoLocker Decryption Service however the current ransom is 10 BTC which is about US$ 6500.

Rans.Crypto.Win32 is a trojan and so does not spread by infecting other files.  Nor is it known to be packaged with other viruses (and this would be counter productive for the authors of Cryptolocker as they want your computer healthy if you pay the ransom to decrypt) .  However the behaviour that causes Crypto infections (opening unknown email attachments) means that if a machine is infected with a ransomware trojan the user is more likely to be at risk of further infections.  As tzucker says - it's not possible to guarantee your system is clean.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
For one bitcoin you can buy a pretty good NEW computer for 10 BTC you can one of the best out there.  Is the data worth that much?  

I have a colleague who has as part of his email signature:

"Data that is not backed up in at least two places, is data that you don't care about."
0
 

Author Comment

by:edo60
Comment Utility
oh man, hope the data do not care, is the director lap top.
i cant belive there is not a genious in the world that made a vaccine
is my hope
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
This was apt to happen sooner rather than later.  I always tell my director that if he is not backing up his data then the onus is on him.  I installed CrashPlanPROe on his laptop.  If you don't have an institutional license then get it just for him.  The cost is not bad at all for large data chunks.  It is even less if you register under an edu address.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
I think you can try and contact on-track company, those guys are geniuses in recovering data but i'm not sure about decrypting it though.

I have once formatted a computer and installed windows on it and with their help was able to restore every single data that was lost.

Try giving them a phone call. you wont lose nothing
http://www.krollontrack.com/data-recovery/
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
The data recovery people are generally not a help with encrypted data.  We have used DriveSavers in the past for data recovery in extreme cases and they have never failed us (they do charge a hefty price though - not as much as crypto).  If you have any success, let us know.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
Seriously the only way to decrypt these is a brute force attempt to guess the 128AES key that has been randomly generated  - you've more chance of getting the NSA to help.

You do have the added advantage of telling your director that, "following investigation it seems to have been caused by someone opening an infected email attachment on this computer" though.
0
 

Author Comment

by:edo60
Comment Utility
yes, it was his fault by open a suspicius mail and run the attachments, even if he warned,
but as you understand, blame it guy. thats a sh#$#t
0
 

Author Comment

by:edo60
Comment Utility
Hi experts,
How about this article, could be help to recover my files? Dónde any one has any adivice about it?
http://www.adlice.com/cryptolocker-removal-roguekiller/

Tsm
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
This is just to avoid the crypto program from running it self on startup using the registry but it doesn't solve your problem.

You have encrypted files and you will need the key to decrypt them. that's it.
0
 

Author Comment

by:edo60
Comment Utility
ohh man, i cant belive it. is the worst think that ever seen.
that mfer must be in jail.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now