• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

CryptoLocker

Hi. My office has been decimated by a CryptoLocker attack. Many colleagues who didn't back up important docs have lost them forever. I'm terrified to log onto my work email from home and open any word docs. The office uses Kaspersky AV which obviously was useless in preventing the CryptoLocker attack. Here at home I use NIS 2013 - am I protected against CryptoLocker ?

Replies

Kudos0

Re: CryptoLocker

Hi. My office has been decimated by a CryptoLocker attack. Many colleagues who didn't back up important docs have lost them forever. I'm terrified to log onto my work email from home and open any word docs. The office uses Kaspersky AV which obviously was useless in preventing the CryptoLocker attack. Here at home I use NIS 2013 - am I protected against CryptoLocker ?

Kudos2

Re: CryptoLocker

There is just probably quite a few droppers for it out there.


‎09-21-2013 03:49 PM - edited ‎09-21-2013 04:03 PM

 

I have given a program a go.

For the files that are encrypted, they cannot be decrypted,  Say good bye to them.

But with systems that have the Volume Shadow Copy Service running on their system  from XP up to and including Windows 8,  You can find backups of your personal files from the last date the copy service made copies of your files before you were infected and had your files encrypted. 

This means that for XP and Windows 8 systems the Volume Shadow Copy Service  (In Windows 8 it's called File History for the user)  needs to have to be turned on by the user and set to automatic well in advance of the system being infected.   Windows Vista and Windows 7 has the service set to Automatic by default.   But not in XP and Windows 8.

Once the Ransomware is broken and removed another program allows the user to manually look though dates in the Volume Shadow Copy to find each file and to then copy them.   

The user may still loose files due any gap between the last Volume Shadow Copy date and the infection time, meaning some files were not backed up in the Volume Shadow Copy,  So they are gone.

Quads

Kudos3

Re: CryptoLocker

The last message said I tried a program for the Shadow Copy etc.

 

Part of the Bleeping instructions which gives the program below which gives you the ability to find the backups of just the encrypted files.,

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.


Are there any tools that can be used to decrypt the encrypted files?

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through theShadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.


How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

hxxp://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.


How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.



To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.


Information about other malware that are being installed with Cryptolocker.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:


 

HKCU\Software\Microsoft\<random>

Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.


How to determine which computer is infected with CryptoLocker on a network

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.


Quads

Kudos0

Re: CryptoLocker

Does NIS 2014 detect and block Cryptolocker?

Kudos0

Re: CryptoLocker

Trojan.Ransomcrypt.F   But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.

 

Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx  (xxxx = letters for the variant I would say).

 

 

Quads

Kudos0

Re: CryptoLocker

Windows 7 64 Bit Sp1 Norton Security V 22.1.0.9
Kudos0

Re: CryptoLocker

You can also use Shadow Explorer to look for indivual persoanl files inside the folders like in the screenshot above.  So if you know the file(s) one by one that you are looking for you can then  go about finding each file to restore instead of the whole folder.  Takes longer, but that way you can just target the files wanted to retreive, whether a document, video, music, picture etc.

Quads

Kudos0

Re: CryptoLocker

Thought I'd share these as well:

Removal and recovery:

http://deletemalware.blogspot.com/2013/10/remove-cryptolocker-virus-and-restore.html

Prevention:

http://goo.gl/LlAiY5

(orginal link: fooli**bleep**.com/vb6-projects/cryptoprevent/ bot it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)

Cheers!

Kudos0

Re: CryptoLocker

thank u...i did a download of the 2013 uniblue driver scanner then i did a windows search with this

nomenclature and when found deleted. went back to the control panel and removed any uniblue found. 

Kudos0

Re: CryptoLocker

Adam,

Microsoft's Nanny mode moonlights here with that kind of messing but one way of defeating it for a good purpose is by eg adding spaces that are obvious and can be removed by the user. This has the advantage of preventing inadvertant clicking activating a link especially one to an exe file (Such links are forbidden by Forum rules anyway and are removed by moderators).

(orginal link: foolis h i t.com/vb6-projects/cryptoprevent/ but it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)

I dislike those shorteners because they can be an easy way to hide something dangerous and the browser Status Bar does not decode them as it does other links.

Hugh
Kudos0

Re: CryptoLocker

Hello All,

So, I am waiting for the answer to Gorg's question . . .

Does NIS 2014 detect and block cryptolocker?

Thanks and . . .

Best Respect,

Bob

Kudos0

Re: CryptoLocker

That has already been answered more than once on this forum, Including on this thread.

Quads

Kudos0

Re: CryptoLocker


Quads wrote:

That has already been answered more than once on this forum, Including on this thread.

Quads


Where?  I do not see it.

Kudos0

Re: CryptoLocker

Quads answered it by simply giving the name:

Quads wrote:

Trojan.Ransomcrypt.F   But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.

 

Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx  (xxxx = letters for the variant I would say).


Win8.1 | NIS 21 | NSM | MBAM Pro | Spybot S&amp;D | SpywareBlaster | KeyScrambler Prem | Secunia PSI | TrueCrypt | CCleaner | JV16 PowerTools | PerfectDisk Pro// NIS Settings: Aggressive Heuristics / Aggressive SONAR / Aggressive Boot Time ~ www.needGod.com
Kudos1

Re: CryptoLocker


SecurePC wrote:
Quads answered it by simply giving the name:

Quads wrote:

Trojan.Ransomcrypt.F   But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.

 

Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx  (xxxx = letters for the variant I would say).



Yes, but we aren't code readers here and since we don't charge by the word it would have been more helpful if Quads had said:

Norton detects it as ...

Is detecting the same as blocking? One would hope so but ......

It's nice when people know a lot share it with those of us who don't.

Hugh
Kudos0

Re: CryptoLocker


AMEN.

Kudos1

Re: CryptoLocker


huwyngr wrote:

Yes, but we aren't code readers here and since we don't charge by the word it would have been more helpful if Quads had said:

Norton detects it as ...

Is detecting the same as blocking? One would hope so but ......

It's nice when people know a lot share it with those of us who don't.


Detected means blocked / handled per current remediation procedures (for Norton products).

Win7 x32 SP1
Kudos0

Re: CryptoLocker

This is how I see it:

The Question:

Does NIS 2014 detect and block cryptolocker?

The answer required: 

A simple Yes or No.

What is so difficult about Quads saying one word or the other?

Yes, I am tired of the games people play!

Kudos0

Re: CryptoLocker

The problem is it is not one threat.  Like many other malware there are different variants.  Take FBI ransomware for example - it looks the same but it actually has many different versions.

Windows 7 Home Premium x64 SP1 *|*|* Norton Security with Backup v22.1.0.9
Kudos0

Re: CryptoLocker


huwyngr wrote:

SecurePC wrote:
Quads answered it by simply giving the name:

Quads wrote:

Trojan.Ransomcrypt.F   But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.

 

Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx  (xxxx = letters for the variant I would say).



Yes, but we aren't code readers here and since we don't charge by the word it would have been more helpful if Quads had said:

Norton detects it as ...

Is detecting the same as blocking? One would hope so but ......

It's nice when people know a lot share it with those of us who don't.


 

I also stated here, http://community.norton.com/t5/Malware-Discussion/CryptoLocker-Virus/m-p/1040439#M5347 

 

"Yes, but we aren't code readers here and since we don't charge by the word it would have been more helpful if Quads had said:"

So this forum contradicts itself,   in that case,  From we can all do the likes of malware removal blah blah that has apeared in talks on the forum over the years.  But yet hmmmm can't understand what is said, can't understand what is going on in the system,  some can't read the logs,  can't figure what is infecting the system, so use MBAM, Spybot, System Restore,  and other programs........................... But we don't read code or understand malware 

"It's nice when people know a lot share it with those of us who don't."    No,  giving info to users who think hey I can do this or that, not I can do this or that.   Is Dangerous in itself and I will not explain anything to the guys here like with Ransomware, Zeroaccess, or other malware as users here already think they know,  I am not going to add any knowledge to that danger.

 

Users can all do everything that that is stepped in oh try this or that, then the answers should already be known.

 

If actual, Malware Remover groups or the likes of Tech Support, SSR (Security Response) ask for info, or why something happens with NPE, or some malware groups  I will give the data, info, answers or files I may have.

But that does not show on the forum boards for the rest of the users to then think they know now and will give anything a go.

 

Sometimes the best way is to know no knowlege at all except  the "I don't know"

 

 

Quads

 

 

Kudos0

Re: CryptoLocker

Quads ...

You still don't get it.

The "code" I was referring was your opaque language.

If you don't want to communicate clearly don't hide behind statements about not communicating dangerous information -- just refrain from commenting but don't obfusc.

As for << I also stated here, http://community.norton.com/t5/Malware-Discussion/CryptoLocker-Virus/m-p/1040439#M5347   >> that reference does not appear in this thread. It's not helpful to expect a user to search in different forums for the answer when the reply is so concise.

Hugh
Kudos0

Re: CryptoLocker

I get it.   If  people do not understand  then so be it,   it will keep people out of the area 

When I was at the mall doing what I do and some femal workers were in the group with me and started talking clothes, makeup, and words and code that goes with that  I sat there,  I didn't underand their code but the females all knew what was said,  but I didn't.......  I sat there and stayed out of it  just listening with a puzzled look on my face.

But  I did not understand.  so did not go near.

Quads

Kudos0

Re: CryptoLocker

To what area are you referring to when they simply want to know in clear terms is whether they are protected against a malicious program they really do not want to get?

Win8.1 | NIS 21 | NSM | MBAM Pro | Spybot S&amp;D | SpywareBlaster | KeyScrambler Prem | Secunia PSI | TrueCrypt | CCleaner | JV16 PowerTools | PerfectDisk Pro// NIS Settings: Aggressive Heuristics / Aggressive SONAR / Aggressive Boot Time ~ www.needGod.com
Kudos2

Re: CryptoLocker

A fully updated Norton should protect against CryptoLocker.

However, as you should know, no security solution is 100% so a layered solution, IMO, is best

I run NIS 2014 and Malwarebytes. I run a full Norton scan every morning at 6, MB run a quick scan at 2 and HitmanPro runs a quick scan at 10.

But I'm a virusphobe, so maybe for your piece of mind you don't need al that.

And don't worry alot of people on this forum are here less to help others and more to show off how much the (supposedly) know.

Feel free to inbox me if I can help in any way

Kudos0

Re: CryptoLocker

See my answer at the end of the thread

Kudos0

Re: CryptoLocker


jmachats wrote:

A fully updated Norton should protect against CryptoLocker.

However, as you should know, no security solution is 100% so a layered solution, IMO, is best

I run NIS 2014 and Malwarebytes. I run a full Norton scan every morning at 6, MB run a quick scan at 2 and HitmanPro runs a quick scan at 10.

But I'm a virusphobe, so maybe for your piece of mind you don't need al that.

And don't worry alot of people on this forum are here less to help others and more to show off how much the (supposedly) know.

Feel free to inbox me if I can help in any way


  , good point about the "no 100% guarantee protection" point.  I recall years ago, I had thought otherwise... I'm protected completely as long as I was running a mainline AV product.

If you're one, then so am I 

I do about the same thing, use scanner tools daily.  The way I look at it is that the tools are available to use (Norton & MBAM scans) so I give them a workout :).

I like to run my scan overnight when the PC isn't in use.

I don't have a 3rd scanner though.  That's something I've been thinking about lately although I haven't had the need as yet to insall a 3rd protection tool.

Good advice :)

Kudos1

Re: CryptoLocker

Of course, in the case of a malicious program like Cryptolocker, one wants to prevent it from getting on their systems to begin with, or at the very least, detect it and remove it before it can do it's damage, which means on-demand/scheduled secondary scanners would be unlikely to deal with the program before it has a chance to begin encrypting one's files...

Win8.1 | NIS 21 | NSM | MBAM Pro | Spybot S&amp;D | SpywareBlaster | KeyScrambler Prem | Secunia PSI | TrueCrypt | CCleaner | JV16 PowerTools | PerfectDisk Pro// NIS Settings: Aggressive Heuristics / Aggressive SONAR / Aggressive Boot Time ~ www.needGod.com
Kudos0

Re: CryptoLocker


SecurePC wrote:

Of course, in the case of a malicious program like Cryptolocker, one wants to prevent it from getting on their systems to begin with, or at the very least, detect it and remove it before it can do it's damage, which means on-demand/scheduled secondary scanners would be unlikely to deal with the program before it has a chance to begin encrypting one's files...


   Good point.

I'm most likely in the minority when it comes to the PC protection expectations with AV's and 2nd-opinion tools. 

If they block the majority of threats and are able to detect an intruson that got past their defenses, I'm ok with that since anything that gets into my HDD can be fixed without too much time invested by replacing the HDD with a cloned spare or image recovery.

That's the main reason I run overnight scans, to detect something that's present on the HDD. If it's known to be there, that's the important part for me.

Kudos1

Re: CryptoLocker

Exactly. I think the biggest lesson of Cryptolocker is - BACKUP BACKUP BACKUP! REGULARLY

I did read somewhere that it doesn't encrypt your files immediately, so if u can get something in there before it completes the process you might be able to save at least some files.

Exactly how long it is between infection and total encryption, i don't know.

Sophos has a video of the virus in action, might be worth a look. Hope I can post it here!

http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

Kudos1

Re: CryptoLocker

Hope the advice helps! Prevention is always better than cure but even the best practices aren't a guarantee against something going wrong. As I said in a previous post the biggest lesson of Cryptolocker is - BACKUP BACKUP BACKUP

For me the third scanner (and i have several others; only those three run on a schedule) was important because my surfing is, shall we say, adventurous, so I wanted max protection.

I didn't put as extensive a protocol on my sister's computer because she is super-careful about emails and attachments she opens, sites she visits, stuff she downloads etc.

Here's an excellent guide on keeping virus free (except for the horrible product recommends: Spybot/MSE are junk - the advice is solid)

http://www.groovypost.com/howto/groovytip/security-guide-keep-your-computer-virus-free/

Kudos0

Re: CryptoLocker


jmachats wrote:

Exactly. I think the biggest lesson of Cryptolocker is - BACKUP BACKUP BACKUP! REGULARLY

I did read somewhere that it doesn't encrypt your files immediately, so if u can get something in there before it completes the process you might be able to save at least some files.

Exactly how long it is between infection and total encryption, i don't know.

Sophos has a video of the virus in action, might be worth a look. Hope I can post it here!

http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/


Thanks for posting the link.  Good read.  The only part that concerns me this part from the article:

"Malware that encrypts your data and tries to sell it back to you, or else, is not new.

In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989.

That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama."

Fortunately I don't hear about such delayed-trigger attacks much.  That one would be a tough situation.  I have an emergency cloned HDD that's several months old but it would take a while to update it if I had to install it.

The good part about this is that the user should know fairly soon if they've been hit by this since the popup dialog will appear asking for the ransom fee. 


jmachats wrote:

Hope the advice helps! Prevention is always better than cure but even the best practices aren't a guarantee against something going wrong. As I said in a previous post the biggest lesson of Cryptolocker is - BACKUP BACKUP BACKUP

For me the third scanner (and i have several others; only those three run on a schedule) was important because my surfing is, shall we say, adventurous, so I wanted max protection.

I didn't put as extensive a protocol on my sister's computer because she is super-careful about emails and attachments she opens, sites she visits, stuff she downloads etc.

Here's an excellent guide on keeping virus free (except for the horrible product recommends: Spybot/MSE are junk - the advice is solid)
http://www.groovypost.com/howto/groovytip/security-guide-keep-your-computer-virus-free/


Very good article for prevention advice. Thanks for posting.

Kudos0

Re: CryptoLocker

Question for Quads

Will the follow configuration prevent CryptoLocker infection regardless of unknown droppers.?

Windows 8.1 Enterprise Edition with NIS 2014 + Malwarebytes + Applocker (with specific rules for each executable on the folders  "Program Files", "Program Files (x86)" and "Windows")

Kudos0

Re: CryptoLocker

This entire thread is getting a bit ridiculous.

Ask yourself this, would Symantec really want to be the only A/V company that didn't protect against cryptolocker?

Just be smart and don't open attachments from people you do not know. If an email is phished and is sending out mass emails that's a red flag.

Windows 8.1 Pro 64-bit / Norton Internet Security v.21.x
Kudos0

Re: CryptoLocker

I have read all the messages in this thread but still can not determine if NIS will detect Cryptolocker or not.  I am just a plain user that is confused.  I see "should detect", and :Norton would not want to be the only Security program not to detect" but I still do not see a simple answer.  NIS seems to detect things in my email arriving on my machine and blodk bad things and also seems to check any downloads I do.  So I would expect NIS to detect and block cryptolocker when it arrives at my machine.  But I would feed better if Norton may a simple yes/no answer.  I am not real sure what name dropper mean and how it applies but I assume that it would mean that the attack had different names and showed up different in different emails.  I would expect most other malware would do the same over time so I would expect that NIS would be updated regularly to catch any new variant.

Thanks,

Jeff

Kudos0

Re: CryptoLocker

I have given "Yes / No" answers.

And what do you think definition updates are for??

Quads

Kudos0

Re: CryptoLocker


jmcspadd wrote:

I have read all the messages in this thread but still can not determine if NIS will detect Cryptolocker or not.  I am just a plain user that is confused.  I see "should detect", and :Norton would not want to be the only Security program not to detect" but I still do not see a simple answer.  NIS seems to detect things in my email arriving on my machine and blodk bad things and also seems to check any downloads I do.  So I would expect NIS to detect and block cryptolocker when it arrives at my machine.  But I would feed better if Norton may a simple yes/no answer.  I am not real sure what name dropper mean and how it applies but I assume that it would mean that the attack had different names and showed up different in different emails.  I would expect most other malware would do the same over time so I would expect that NIS would be updated regularly to catch any new variant.

Thanks,

Jeff


Hi  

I understand your concerns about Cryptolocker.  The thing to keep in mind is that no AV, Norton, or any other product that's available, can offer complete protection against all threats.

With a 2nd-opinion tool, such as MBAM, etc, that is designed to detect items that some AV's may not detect, the odds blocking attacks are better.

My advice is the same for all PC owners, backup your important items and also set up and run a complete hard drive recovery scheme, ie, imaging or cloning, so that you'll be able to restore your PC in a fairly fast timeframe and thus remove all infections and their effects on your PC.

Replies are locked for this thread.