Arkadaşlar Dün akşam patronumun pc'ye bu virüs bulaştı. 300 TL TURKCELL den fatura geldiğine dair mail almış ve tıklamasıyla tüm dosyları (excel, word ve fotograflar) uzantıları değişmiş. Uyarı penceresi açılıyor fidye istiyorlar..
bende müzdaribim bende dosyalarım açılıyor ama her klasörün içerisinde 4 adet dosya oluşuyor dosyalarınız şifrelendi diye
CryptoLocker sitesinde tek dosya ücretsiz bir şekilde decrypt edilebiliyor. Bruteforce yaparak uygun eşleşme keyini bulup bir ümit düzeltebilirsiniz.
--R10.NET; Flood Engellendi -->-> Yeni yazılan mesaj 01:57:29 -->-> Daha önceki mesaj 01:55:02 --
Kullandığı cihaz ne ve hangi yazılımdan açmış? Web tarayıcı mı?
--R10.NET; Flood Engellendi -->-> Yeni yazılan mesaj 02:02:55 -->-> Daha önceki mesaj 01:57:29 --
Alıntı
To resolve the encryption of files, there is nothing we can do due to the type of encryption used.
This malware uses a domain generator. This generator creates the domain based on the date and generates up to 1000 different domains each day. It tries to connect to each one until it actually connects to one of them. When it succeeds, it downloads a public RSA key from the command and control server (C&C) which will be the RSA key it will use for ciphering. The author is the only one who owns the private key associated to this public key, which is required to decrypt the encrypted samples.
The ciphering is done with RSA and at any moment the author is the only one who owns the private key, so once the files are encrypted, it is impossible to recover them without this private key.
Once the ransomware downloads the public key, it begins to go over the file system encrypting all the files it finds with the following extensions:
*.odt *.ods *.odp *.odm *.odc *.odb
*.wps *.xls *.xlsx *.xlsm *.xlsb *.xlk
*.ppt *.pptx *.pptm *.mdb *.accdb *.pst
*.dwg *.dxf *.dxg *.wpd *.rtf *.wb2
*.mdf *.dbf *.psd *.pdd *.eps *.ai
*.indd *.cdr *.doc ????????.jpe *.jpg *.dng
*.3fr *.arw *.srf *.sr2 *.bay *.crw
*.cr2 *.dcr *.kdc *.erf *.mef *.mrw
*.nef *.nrw *.orf *.raf *.raw *.rwl
*.rw2 *.r3d *.ptx *.pef *.srw *.x3f
*.der *.cer *.crt *.pem *.pfx *.p12
*.p7b *.p7c *.docx *.docm
It saves the path of each encrypted file in the following registry key:
HKEY_CURRENT_USER\Software\CryptoLocker\Files
It saves the ciphering public key in:
HKEY_CURRENT_USER\Software\CryptoLocker\Public Key
The ransomware is installed in the Run key so as to be automatically run on each reboot:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \CryptoLocker
As we mentioned before, it is impossible to recover the files once they have been encrypted, as a safe ciphering as RSA with a strong enough key is used. The use of data recovering tools is not possible either, because the original file is overwritten with the ciphered data, so the disk sectors with the original data are also overwritten.
Dosyalar gitmiş. Parayı vermesi halinde çözüm bulamayabilir de.
Üstteki yazının sahibi Panda Security'in Suupport ekibi.