Topic: Please Help - Ransomware has stolen my files and I need to pay in BitCoins (Read 3891 times)

Toddball? Is he back? http://www.thesamba.com/vw/forum/viewtopic.php?t=602957

First of all.  There's no guarantee that you'll get your files decrypted even after paying.. 

Quoting from that very same post (which had already been linked by grue above, BTW):


Also, for Bromium Labs:

They are related, TeslaCrypt appears to be a direvative of Cryptolocker.

Here's a post detailing how to decrypt it:

http://blogs.cisco.com/security/talos/teslacrypt

Best thing that could happen to this world is stupid fucks like him and you die off.
 Keep holding the stupids hands and they won't ever learn.
Show them google and how to read
give a man money they eat for a day, make the person work, they eat for a lifetime.
Trust me, I know how to use the internet and wouldn't be here asking for help.

pedrog,

Your post is irrelevant because OP was never infected by CoinVault, but rather by TeslaCrypt which is completely unrelated.

Had you read either the very first post or the very last one (above), you would have seen this, but you did not.

Check https://noransom.kaspersky.com/ again.

April 29 update: 13 decryption keys added to the database

You might get lucky this time.

toddball,

It's great to hear you managed to recover most of your files w/o even having to pay a ransom!

Although you may not need it now, did you see grue's post?


It links to a decryption utility for TeslaCrypt posted just yesterday by researchers over at Cisco, which may or may not work depending on which version of TeslaCrypt you have. It might be worth a try to recover your remaining files.

Even if it doesn't work, they're trying to improve it to work on newer versions of TeslaCrypt as well, so you may want to keep an eye on their blog for future updates.

Good to know you were able to restore a backup and didn't have to pay ransom. It would have been an awful and costly thing to do anyway.
For all people reading this topic, here are a few links for future reference:

How to protect against CryptoLocker malware
http://support.kaspersky.com/viruses/common/10646#block2

CryptoLocker Is Dead: Here’s How You Can Get Your Files Back!
http://www.makeuseof.com/tag/cryptolocker-dead-heres-can-get-files-back/

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.
https://www.decryptcryptolocker.com/

How to decrypt or get back encrypted files infected by known encrypting ransomware viruses.
http://www.wintips.org/how-to-decrypt-or-get-back-encrypted-files-by-known-encrypting-ransomware-crypt-viruses/

How to recover files from CryptoLocker for free
http://www.expertreviews.co.uk/technology/8063/how-to-recover-files-from-cryptolocker-for-free

I applaud your darwinism I should probably make a note somewhere to make sure I dont help you accidentally. Education and help are never part of the problem, they are always part of the solution. Holding someones hands is perfectly fine while they are still growing. Not letting them make mistakes in the first place is a problem. If you cant see the difference Im not going to teach it to you. OP certainly learned a few valuable lessons and not only about IT systems and how to keep them secure. Wether or not the data was lost in the process is irrelevant for the lessons learned.

Even in the event that OP had been a troll answering in a constructive manner can still be helpful for someone else silently reading.

yep you're part of the problem too, holding the crybabies hands.
Keep coddling the stupid's it will only increase them.

Oh shut up. If someone comes anywhere for help you do your best to help them or - if you cant - stay out of it and direct them to someone that can.

Yes, this is not bitcoin related or only remotly, but instead of attacking someone seeking help, just report the thread to be moved into offtopic and go on your way.

@Danny moving this into offtopic also has the benefit that no one here gets any satoshi for their posts.

I am philipma1957 this is my secondary none signature account as I promised I will not post here with my signature account more then once.


   Here goes my opinion on the op after I posted  to not sell the op any coins. He has fixed his issue. He does not need coins. So I guess my signature post saved the day here.

  

 I realize some people do not like signature campaigns. They believe  posters post just to make money.  Which is why I am using this non signature account to point out that the op has fixed his problem.  

He no longer needs us to sell him coins with a cc as payment.

You don't use it (the internet for information gathering) very well to come here make your first post whining about how you got a virus from being stupid and can't buy btc at market price.

http://blogs.cisco.com/security/talos/teslacrypt

I only stopped in here to thank you guys for your time and let you know what I decided to do.....

I'll set the remaining facts straight for those that would prefer to make up your own.  

I got the Teslacrypt virus.  I'm not sure how.  I haven't had a virus in years.  Water under the bridge at this point......

This isn't the normal kind of virus most of us have gotten from a friend's email or some bad advertising malware.  It encrypted all of my files, without the key it's just like deleting them.  As far as I was aware before this, the concept was something out of the movies.  I didn't know that there were viruses that severe that regular people could get.

I'm an independent consultant.  I got the job in a hurry, and had to get set up to work from home in a hurry.  It's been a-holes and elbows since then, for 6 months now.  The only assistance I've had from the companies IT was the installation of the AV software.  It's a small company, even the IT guy is an outside contractor.

I checked my "continuous backup drive" and the dates on the backup file that I believed contained my files was old, this led me to believe something went wrong and I did not have a recent backup.  I'm a mechanical engineer, not a computer specialist.

I decided not to pay the ransom.  Mostly because I don't have the means where I live to easily get bitcoins to pay the ransom.  Danny H, who offered to help me, said that was probably the smartest thing to do anyway and I thanked him for his help.

I found when I restored from the backup that in fact it was an incremental backup, and I had files from my last backup from the end of March.  I left for a prototype build in S. Illinois right after that and didn't really author too many new files between then and now, so I'm not losing a lot - but I didn't know that when I came here in a panic.

Why did I come here?  Someone was pretty hot and bothered about that.  Well like I said, I was having a tough time figuring out how to buy the coins with the payment means that I have available.  And so many places that claim to be exchanges that I signed up for and haven't heard anything since.  

And I lack patience, and like many of us, I use the internet for information gathering - Don't you?  Or do you just automatically know everything, Mr BCWinning?

Whatever, you're a chump for saying what you did.  I'm no crook and I found the advice I was looking for.  So it seems I'm a little smarter than you think.  And BTW, I'm not a troll either, I don't know what gave you that idea.  I was in a panic over lost data in a critical portion of a prototype development, and I'm the entire engineering department on this, so I had a right to become a little panicked.

To the rest of you that were helpful, thanks again very much.

In the end, I lost alot of time, was able to recover the Bill of Material from the hackers "free trial" download, and so only lost several other files that I can recreate.  I got off super lucky.

This won't happen again, as soon as my computer and data are back up and running IT is going to get me connected to their network for regular backups.

Thanks again everyone

Toddball

PS  Danny just saw your post...  So I guess they are the trolls you warned about.  Hah.  I don't like being accused of trolling.  Live and Learn.  You guys are alright by me.  Good Luck

toddball,

Perhaps you didn't notice where I said:


See that colorful "bit-x" "The reputable bitcoin mining service" at the bottom of philipma1957's post?  That's the "advertisement in their signature space" that I was talking about.

If you see someone with such an ad, you can simply click the "ignore" under their userID at the left of the post.  Then you won't have to see any more of their nonsense.

See my signature link for more information on how to quickly block a significant number of these forum spammers.

Wow man.  Your conjecture is pretty amazing here.

I didn't see where Danny said in the forum that I wouldn't meet with him, but the truth is, he's 450+ miles from where I am so how exactly was I going to meet him?  It's pure coincidence that my place of work is actually in Illinois, and seems not far from where Danny was located.

I'm the guy that got ripped off, by the hacker that infected my computer with a virus.

Some of you need to read more, think less.  I did exactly tell you what virus is was, it's called TeslaCrypt and seems to be a newer version of the cryptolocker virus.

In the end, I thanked Danny much for his time, and he told me that not paying the ransom was the right call.  More on that in a minute.....

He clearly states in the first post that he has the TeslaCrypt virus. Later, he also says that his antivirus prevented the virus from hijacking his desktop. It may have even removed the virus itself, but the encrypted files are still there.

I don't even think you have even read this thread. With your signature, I think you are just posting here for the posts, and don't even know what this thread is even about.

And if you have one it's not in diplomatic skills, or business communication.

But it stated the threat yes, but malware is not one size fit's all. I was assuming OP was taking steps to remove it.   But read last few post's it seems he might not be legit person with problem.

Malware is remade many... many times.  So we don't know if he has a new version with it making past virus protection, it has a different fingerprint.  And what new version does could be different.  Or OP has bad/old virus protection and it's did not detect it even though it's been out in the world for a while.

Chances are most versions will be close on effects and removal, but you never know.

Your degree clearly wasn't in reading comprehension. OP stated the exact virus name in the first post

We have nothing to do with ransomware and this isn't an exchange site.
So, Why the fuck would you create an account here looking for help.
Too bad localbitcoins won't sell at market rate, that is our problem some how?
You can't figure out how to buy them at an exchange but you figured out how to create an account here
and troll the forums.
Don't click on BS links, you deserved what you got.

Thanks for advice I will leave thread alone after this post aswell.

I found it hard to believe he did not backup important files.  The last company I worked for I know pushed backing up important files.  It was stressed very much to use the network drive.  We also had a enterprise anti-virus that forced you to update in background, so most computers did not get infected unless very very early after the malware release.

Frankly I would not trust the op.  He refused to meet with  danny h.  Strong chance he is looking to con someone to take a fake cc or paypal.

Also he could be a signature shill. Posting a topic to allow people in signature campaigns to post here with legit answers.

I won't post again.  And I do not believe him as he would not meet with danny h.

Also classic excuse I forgot to backup my files.  Feel sorry for him and send him a coin that he charges on his cc and good luck to you.

I wish OP could give us exact virus/malware he has.  If he had that we could tell him a lot more.  My bachelors degree is actually based on computer security.  I added on quite a few extra hours to get this vs standard bachelors at a University.  Bitcoin and security are what I enjoy reading about.

We can guess and throw out ideas.  But without knowing exact variant he has it's all guesses.  It is bad you do not have backups, this makes it harder.  My last company we suggested storing backups of anything important on a network drive that we had with all kinds of security on it. 

Does your company have a help desk?  I still say this is a good option depending on how well they are.   I would hope they could look at it and say if it's a lost cause,  or if they can get rid of malware.  There is a chance it's not really some super encryption on it, but the malware makes it appear this way.  Or it could be more advanced and truly have them locked up.

Depending on your level it might be something you can handle.   It all depends I don't know your background.

And the third option is a computer repair service.  If you do one of these i give it a 90 percent chance they blow it away and reinstall windows.  So good that you have a safe computer again, but most likely lose data.

If you have not gotten this resolved, I know of some one that can help you.  pm me i will share the information with you.

Contact DannyHamilton and try to buy from him with cash since he's a trusted member; They WONT decrypt your files, in fact your files may not exist anymore this type of ransom ware is well-known and the pay to this address has been going around for quite long time; More information here on the one that I'm talking about http://en.wikipedia.org/wiki/CryptoLocker

Just my two cents:

If possible - mirror the HD in question, so if everything goes badly, you at least have a copy. I assume it is only your personal files that are encrypted, and that the rest of the OS is untouched.

You mentioned that there was a "test-drive" for decryption and that you got one file back. If this code is not too sophisticated, an expert might be able to crack it so all of your files could be decrypted. Perhaps if you posted on some crypto/reverse-engineering/security forum there would be some people able to help you out. Professional services might be worth a shot too, but that might quickly add up costs.  A long shot could even be the a police department with a cyber investigation unit. If such a thing exists.

Contrary to what others say, I believe you would get your files back. If word got out that nobody gets their files back from paying, then people would most likely stop paying, and the criminals would shot themselves in the foot.

Once everything is hopefully restored, get a proper backup solution and don't forget to test that it actually works now and then.

He said in an earlier post that he had no recent backup to restore the computer from. Removing the virus would not help, and since he has no backup, his last resort is to pay the ransom.

Why are we giving OP advice on buying bitcoins? I could have missed something, but is this advice so he can pay the ransomware?

OP you should in NO way pay the ransomware.   I gave my advice in a earlier post on how to get rid of it most likely.   Does your company have a help desk area that can help you? (I did helpdesk work once and removing virus's was normal.  Would not lose your job liked you talked about).

If no resources at work, and cannot do it yourself.  Look into places that fix computers vs paying ransomware.

OP: have you tried Coinbase? They have an "instant-buy" option if you verify your account with a Visa or Mastercard credit card (along with verifying your bank account).

I'm not sure how long the verification process takes as its been awhile since I did it. If you don't do the instant buy method, the turnaround time for receiving BTC is 4 business days.

As others have said, it is difficult to buy bitcoins with your preferred payment methods (paypal, MC) as they are reversible, bitcoin is not.

also click the report button when you see someone clearly wrote an answer without any thought or knowledge on the subject matter.

Danny is correct. 

Often the people with the ads in their signatures are doing nothing but spouting random advice that is often not accurate merely to get the ads in front of people.  Be wary of advice from people with the signature ad campaigns.

You would do well not to take advice from anybody that has an advertisement in their signature space on this forum.

The vast majority of those are people that are being paid per post to advertise with those signatures.  Therefore, they'll say just about anything in a discussion thread just to increase their post count (and therefore increase their income).  Generally, they know less about the topic they are discussing than the person asking the questions.

Since you are in the US, coinbase.com has fast turnaround - or at least they have in the past.

I too have seen reports where people paid and got their files unlocked, so if you need the files, this is pretty much the only way.

Good luck.

Regarding localbitcoins.com, were you looking in the "Buy bitcoins online in United States" section here, which typically works anywhere in the U.S. via Western Union, Moneygram, or branch cash deposits (ignore OKPay, Perfect Money, WebMoney, etc., they'll probably just make things more complicated)?

Also, DannyHamilton suggested he may be able to help you out directly: https://bitcointalksearch.org/topic/m.11193629. He's a widely trusted user on Bitcointalk.org, see here (and also a trusted escrow agent, see here), you should consider his offer.

P.S. I'm very sorry this is your first experience with Bitcoin , but I do hope you'll stick around once this mess is settled.

One of the downsides of being an Uper. I can help if you'd want to drive to the Saginaw/Bay City area.

TT

Scratch that, TruCoin seems a bust.

All I got was a "you have been added to our list" message and I read that people waited and waited and nothing happened.

I live in the middle of nowhere in Northern MI, so I can't just walk out and meet folks for a transaction.

Any suggestions for a specific site that seems to have quick turnaround?

Thanks

TB

Hey ALL

Again, thanks for your help so far.

Yeah, some of you haven't read thru the parts where I stated that thought I was backing up continuously, that I'm an outside consultant and therefore fell thru the cracks of IT backups.  I had antivirus, and have run lots of malware now and the threat appears to be removed.

All of my files are still here, but they are encrypted with 2048 RSA encryption.  This is like out of a movie, pay the ransom, get the key.

You don't think I'll get my files back but many have in fact, gotten theirs back.  In the spirit of get what you pay for, if they didn't make good on the promise then there would be more reports of this.  I also feel like I would not have been able to INSTANTLY get my "test" file back so quickly.  I mean, it was instantaneously available, so obviously the process is automated.

What I'm worried about at this point is the offer expiring.  I never saw the original splash screen but it's been like 72 hours.  Gotta make this happen today.  Waiting for some folks to get back to me about selling their coin.

Going to look into buying at TruCoin as a backup I guess

Bitcoin is very much like cash. Once the transaction is complete it cannot be reversed, therefore it's unlikely you'll be able to make an initial purchase of 2.5 BTC with a credit card. As DannyHamilton suggests, you can make this purchase with cash locally though, so mention your general location and maybe someone will meet you to trade BTC for cash. If no luck here, you can put a WTB (want to buy) ad in your local Craigslist. Maybe offer to pay 10% over exchange rate. Meet in a public place like a mall, restaurant, or even a local police station to avoid being robbed since you'll be carrying a lot of cash.

TT

A hero member should know that, well, reading the thread you're replying to usually helps towards not making a fool of yourself.

(edit: typo)

Firstly, don't pay a ransom, they may blackmail you again if they get the money. I don't think the hackers will decrypt your files after they receive the ransom. They just threatened you. Your company should have backups that they can restore. Ask your company's IT department if they can help you. Don't be nervous, dude.

If you want to buy bitcoin, you can transfer money to bank or payment processors, and buy them in bitstamp, btc-e,com. Most places will not accept paypal or credit card, because these can have chargebacks and exchanges have the possibility to be scammed.

Maybe you are right, I have never "tried a double spend attack" against a ransomware. Maybe with the oldest version of those ransom. it could be possible double-spend a transaction ... Who knows?

Danny has some of the best advice make sure not to accept help through teamviewer or other from a low trust source.  People will pry on your situation.

My advice is try to see if you can get into safemode.  Assuming you can get into safe mode then look at processes running, anything looks funny stop the process. 

After try malwarebytes and your favorite anti-virus.    Hopefully in safe mode you can get all of it gone on the virus.  Also think of updating virus protection or switching if it allowed you to get this virus.

Again, thanks to all.  You guys have been very helpful.

Good to know that they can be bought anywhere and be spent.

It is very hard to attempt a double spend attack which will give you confirmation. Any hacker would want their ransom to have confirmations though.

Shvdb has a service which allows exchange of paypal to BTC if you have PayPal. The process was abit complicated but at least it protects the seller.

A lot does depend on where you are.  Converse is good and legit, but not everywhere.  They are in the US, EU etc.

Be very careful though.

There are scammers and thieves that take advantage of your sense of urgency and your lack of experience. There are many places on the internet that will promise that you'll get bitcoins in exchange for payment, and then after you send payment they'll just disappear without ever ending you any bitcoins.

Make sure that wherever you are getting the bitcoins from is a reliable source.

It doesn't matter where you get bitcoins, they are not limited to locales. As long as you have them, you can pay the ransom to the attackers.

pedrog, thanks for the links.

Seems my version of the cryptolocker virus is still not old enough to have a utility to decrypt the files.  One word of sage advice I found, was to make sure to keep a copy of the encrypted files, so that when/if a fix is available in the future you can run it and get your files back if for some reason paying the ransom doesn't work.

That won't help me, I'm afraid as I can't wait around for this particular data....

Now, I'm hoping you all can clear up something for me.

Does it matter what "service" I use to buy my bitcoins?  Certain ones are only available in certain locales, like "Trucoin" for example is available to buy bitcoin on credit in the US, but will I be able to use those bitcoins to pay the ransom if "Trucoin" is not available whereever this kidnapper lives?

Help me fill in these blanks, I don't understand and since they are not refundable I do not want to end up with $700 I can't use to pay the ransom.

Thanks again to all.

TB

Had company anti-virus installed as well as a back up drive.

For some reason my computer last checked into the server for AV updates one month ago.  As I said earlier, my continuous backup I thought was happening wasn't.  Nice concept in theory, but apparently not worth a wooden nickel.

I may have already stated that I did in fact get back a single important file, and I have read that many people have gotten their files back once they paid ransom.

Is it a risk?  Yes.  But it's only money, and I'd gladly lose it for a chance not to recreate weeks of work.

This won't be happening to me again I assure you.  At least not without backups of backups in place.

Regards,

TB

Howdy

Thanks for all the replies

I've been an independent consultant till this past week.  As such, I was not on the company network except to access a CAD vault thru VPN.  I do understand the importance of backups, I didn't state it at the time but I have a 4TB seagate drive that I thought was configured to do continuous backups.  It says as much, yet the last backup was from before the new year.  I have been scrambling on this project and just didn't verify that it was happening.

So yeah, now I do understand the importance of vigilance.  I don't do shady on the internet for this exact reason.

Anyways, I don't have backups of nearly any sort.  So it really is that bad.

I hear what all of you are saying, and otherwise I would not consider doing this AT ALL.  I do not want to encourage this kind of virtual extortion either, but I don't have much choice.

I've read more opinions that you'll never get your data back, and see that in a dozen articles but I have found more personal accounts of recovery than not.  Even some cop shop in Maine paid for their data back.

I was able to test it out with their "one free test" thing and I did get back one of my important files.

My antivirus seemed to stop their desktop highjacking so I never saw the popup window that says how long you have been infected but I think it's going on 48 hours.

Thanks again and I'll look thru these replies a little closer.

TB

Check here: https://en.bitcoin.it/wiki/How_To_Buy_Bitcoins_With_Your_Credit_Card

Also https://bit-x.com/

Check these links, you may be able to decrypt your files.

https://support.kaspersky.com/viruses/disinfection/8005

https://noransom.kaspersky.com/

https://blog.kaspersky.com/coinvault-ransomware-removal-instruction/


Hope now you understand how important backups are.

When you will have the bitcoins (also through cash) I suggest you to try a double spend transaction, but I do not know if it will work at 100%. Try to check this section 'https://bitcointalk.org/index.php?board=53.0' maybe you will find someone who will sell you some bitcoins.

Where are you located?

I may be able to help you acquire the bitcoins you need at a fair and reasonable price.

Send me a message if you'd like my help.

I highly doubt the attackers will decrypt any files. It would be better if you could restore a backup.

Either way, you should install an antivirus and always backup your files.

If you don't have a backup, you are taking a risk that they won't decrypt it.  But if that is your only option, then it is worth a try.

However, you can try coinbase.com and buy coins there. It depends on your location though. They are not available everywhere.  I am not sure if they do credit cards or only bank accounts though.

Ah ok just a thought. I did say I'm no expert .

DO NOT do that unless you know exactly how to access, even then it will be encrypted so it's not going to take care of it..

Personally I would not pay the ransom, I assume given it's your professional files they are backed up somewhere so worst case you loose only some work.

Localbitcoins is a premium but just present yourself as a buyer and don't get into the reason you want 2.5 BTC and you will get it for maybe 15-20% over market price worst case, things are not nearly as bad as you state.

I don't know where you can buy bitcoins with credit cards I'm sorry. Think its because they can be charged back.

I'm no expert but cant you take the hard drive out and put it in another pc or connect it to another pc to access the files you need? I have these bloody thieving scumbags infecting peoples equipment with viruses then holding them tom ransom. It makes my blood boil.

First of all, you should never pay a ransom. The hackers likely won't decrypt anything after they receive the ransom. Instead, if you have a backup restore the backup. Since the computer is for work, your company should have backups that they can restore. Ask your company's IT department if they can help you.

If you want to buy bitcoin, most places will not accept paypal or credit card. This is because these can have chargebacks and exchanges have the possibility to be scammed. You can instead link your bank account to exchanges to buy bitcoin.

Lastly, since you are a new user, most exchanges will not let you buy large amounts of bitcoin. Instead of buying bitcoin to pay the ransom, you should have your company check it out and see if they can restore a backup and fix it.

Hello

To say I'm a noob is an understatement.

I need your help.  My work at home computer is infected by the TeslaCrypt virus, and after trying everything I can think of I had decided to pay the bleeping ransom to get back all the work I have lost.  Except that getting my hands on some bitcoins is not that easy, apparently.

Look, I just want to pay market value from paypal or my mastercard and buy 2.5 bitcoins.  I had no idea it would be so difficult.

I signed up at localbitcoins.com because that is what was suggested by the hackers.  But nobody there will sell me 2.5 bitcoins and they want a crazy amount more than market value for them.  So instead of $550 it's going to cost more like $1000.

I can't afford that.  I'm probably going to lose my job if I can't get these files back.  It's months of work.  I'm about to fall off the wagon here, I need help.

What is the safest way for me to buy some bitcoin, quickly, to satisfy the demands of this hacker?

Can I buy them anywhere that accepts credit cards and will that "address" work for ransom demander?

Please help me

Thanks

TB