I have a computer infected with CryptoLocker Virus which has encrypted all the files. The user had the backup drive attached when the virus was activated so the backups are encrypted too.
I have uploaded a filename.doc.encrypted file to..a website..but it returns Invalid file The file does not seem to be infected by CryptoLocker.
The computer does not show any previous versions of files so the volume shadow copy seems to have been deleted even though there are restore points listed.
I do have an original file and an encrypted file as I read that you could upload both to a site which could decipher the encryption from both states but I can't locate this site.
Can anybody help me with this?
Link removed by Moderator as possibly unsafe
The OP mentioned his/her machine was infected with (Cryptolocker). Cryptowall is a descendant of Cryptolocker, if you will. Altogether a different "Ransomware". I posted an article on this months ago.
Here is a rather lengthy Guide in regards to (Cryptowall) : CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
I've seen this several times with CryptoLocker and CryptoWall (different variances). You need a backup of your files. Restore them from a previous point and use a command that will delete all infected files from the root.
Virustoal Detection was on 10/7/14
The following doc is really good; especially the rule about "**\decrypt_Instruction.*" & "**.*encrypted"
It seems that the infection is a new variant of TorrentLocker which is a copycat and posing as CryptoLocker.
Before 11th September this infection was using an easy to decrypt XOR encryption method.
The tool to decrypt this variant is found here: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-b...
Unfortunately, some researchers decided to publicly blog about this encryption method, which caused the malware developer to change the encryption to a much stronger and unbreakable decryption using AES. Due to this change, Nathan Scott's TorrentLocker decrypter no longer works on this infection.