Results 1 to 5 of 5

Thread: .crypt extension added to half of my files

  1. #1

    .crypt extension added to half of my files

    i have discovered that .crypt extension added to about half of my files (pdf, djvu, txt, zip, rar) but not epub, html, mht, audio, video, pictures, exe, com.
    there is a file !Recovery_8D6DB179AF8B.txt/html added to every destroyed folder contains this message:
    -----------------------------------------
    @@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com

    @@@@@@@ What happened to your files ?
    @@@@@@@ All of your files were protected by a strong encryption with RZA4096
    @@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

    @@@@@@@ How did this happen ?
    @@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
    @@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
    @@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server

    @@@@@@@ What do I do ?
    @@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
    @@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment


    Your personal ID: 8D6DB179AF8B

    For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

    1 - http://xxxxxx
    2 - http://xxxxxx
    3 - http://xxxxxx

    If for some reasons the addresses are not available, follow these steps:

    1 - Download and install tor-browser: http://www.xxxxx
    2 - After a successful installation, run the browser
    3 - Type in the address bar - http://xxxxxx
    4 - Follow the instructions on the site

    Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
    ---------------------------------------------------------------------
    since i have thousands of pdf, djvu, txt files i wonder if this action begins in time more than 2 days ago, when i feel the computer was too slow at certain moment while i was running Tor Browser on archive.org (archive.org block me so i have used tor browser from about two weeks to access archive.org)
    usualy my C:\ primary drive running windows xp is protected with old version of returnil virtual system, so no files are damaged on it, it is only all the other partitions 2 primary and 2 logical and one small one for returnil, what was infected almost totaly is the primary partitions and to less degree the other 2 logical partitions
    what makes me suspect the attack was through tor browser is that i was running tor browser when first time noticed slowness, and interestingly the message the criminals leave suggest to download and install tor-browser. the message file !Recovery_8D6DB179AF8B.txt date is 09 jan 1601 while !Recovery_8D6DB179AF8B.html date is 12 march 1601 for all the folders with the same file name.
    i have installed avast and seems removed some dangerous files because the adware removed from the web pages. but i don't know if keeping the *.crypt files is safe because i need its names to recover it from external hard drive .
    a typical pdf file have something like this %PDF-1.6 at the first line in it but a pdf.crypt have random characters so removing the .crypt extension will not make the pdf available.
    from 2 days and i connect seldom to the web.
    seems that exe who changed all these files was very busy and can't believe this happened in one day every time i run tor browser from 2 weeks. it is not possible that exe installed on my C:\ because no files damaged on my C:\ protected by returnil.
    long story but may be useful so every one must backup his files on other media than his pc .
    Last edited by ErosOlmi; 18-05-2016 at 14:28.

  2. #2
    thinBasic author ErosOlmi's Avatar
    Join Date
    Sep 2004
    Location
    Milan - Italy
    Age
    57
    Posts
    8,777
    Rep Power
    10
    I think you have fallen into CRYPTOLOCKER virus or one of its many variants
    https://en.wikipedia.org/wiki/CryptoLocker

    This is a real pest very difficult to protect from due too so many variants continuously coming out.

    3 ways to protect:
    1. have backups
    2. have good AV always updated
    3. and, most important, try to smell fake mail and links


    Sorry about that.
    www.thinbasic.com | www.thinbasic.com/community/ | help.thinbasic.com
    Windows 10 Pro for Workstations 64bit - 32 GB - Intel(R) Xeon(R) W-10855M CPU @ 2.80GHz - NVIDIA Quadro RTX 3000

  3. #3
    thinBasic author ErosOlmi's Avatar
    Join Date
    Sep 2004
    Location
    Milan - Italy
    Age
    57
    Posts
    8,777
    Rep Power
    10
    Primo,

    for security reasons I've removed links from your post in order to avoid others to click on them and, by mistake, get something bad.

    Ciao
    Eros
    www.thinbasic.com | www.thinbasic.com/community/ | help.thinbasic.com
    Windows 10 Pro for Workstations 64bit - 32 GB - Intel(R) Xeon(R) W-10855M CPU @ 2.80GHz - NVIDIA Quadro RTX 3000

  4. #4
    thanks Eros
    i was not running antivirus before , only virtual mode by returnil, i escaped all the threats from about 2-3 years ago without antivirus, but this event convinced me that the antivirus is critical, and to focus more on storing files on outside media, i run now avast, and i monitor some folders for any additional .crypt files . i am convinced that the attack happened (or discovered) 2 days ago when i feel very slow computer performance , fortunately i have backup for most files . but can't look at what is damaged in the many folders now, it is like a psychological shock.

  5. #5
    Super Moderator Petr Schreiber's Avatar
    Join Date
    Aug 2005
    Location
    Brno - Czech Republic
    Posts
    7,128
    Rep Power
    732
    Hi Primo,

    the classic viruses we remember from DOS era are gone, but we are living in the age of much more sophisticated digital threads, stealing your data or blackmailing you, offering exchange for payment, as you experienced.

    Try to look at AVG Free for a start (little advertisement, as I work in AVG ) or solutions from ESET. Do not run multiple AV solutions at once, they can fight a bit


    Petr
    Learn 3D graphics with ThinBASIC, learn TBGL!
    Windows 10 64bit - Intel Core i5-3350P @ 3.1GHz - 16 GB RAM - NVIDIA GeForce GTX 1050 Ti 4GB

Similar Threads

  1. tHeap + extension tTypedHeap
    By ReneMiner in forum Sources, Templates, Code Snippets, Tips and Tricks, Do you know ...
    Replies: 2
    Last Post: 21-06-2015, 16:25
  2. Half Life 2 like...
    By kryton9 in forum Technology
    Replies: 2
    Last Post: 05-11-2011, 04:34
  3. ScriptBasic GSL extension module
    By John Spikowski in forum Scripting
    Replies: 0
    Last Post: 30-05-2011, 01:52
  4. Windows 7, 64bit - no extension connection, no edit
    By Petr Schreiber in forum Installation
    Replies: 3
    Last Post: 04-09-2010, 12:42

Members who have read this thread: 0

There are no members to list at the moment.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •