10-15-2013 11:18 AM
Hi. My office has been decimated by a CryptoLocker attack. Many colleagues who didn't back up important docs have lost them forever. I'm terrified to log onto my work email from home and open any word docs. The office uses Kaspersky AV which obviously was useless in preventing the CryptoLocker attack. Here at home I use NIS 2013 - am I protected against CryptoLocker ?
10-15-2013 04:17 PM
There is just probably quite a few droppers for it out there.
09-21-2013 03:49 PM - edited 09-21-2013 04:03 PM
I have given a program a go.
For the files that are encrypted, they cannot be decrypted, Say good bye to them.
But with systems that have the Volume Shadow Copy Service running on their system from XP up to and including Windows 8, You can find backups of your personal files from the last date the copy service made copies of your files before you were infected and had your files encrypted.
This means that for XP and Windows 8 systems the Volume Shadow Copy Service (In Windows 8 it's called File History for the user) needs to have to be turned on by the user and set to automatic well in advance of the system being infected. Windows Vista and Windows 7 has the service set to Automatic by default. But not in XP and Windows 8.
Once the Ransomware is broken and removed another program allows the user to manually look though dates in the Volume Shadow Copy to find each file and to then copy them.
The user may still loose files due any gap between the last Volume Shadow Copy date and the infection time, meaning some files were not backed up in the Volume Shadow Copy, So they are gone.
10-15-2013 04:18 PM
The last message said I tried a program for the Shadow Copy etc.
Part of the Bleeping instructions which gives the program below which gives you the ability to find the backups of just the encrypted files.,
Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe
For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files
After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.
Are there any tools that can be used to decrypt the encrypted files?
Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through theShadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.
How to generate a list of files that have been encrypted
If you wish to generate a list of files that have been encrypted, you can download this tool:
When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.
How to restore your encrypted files from Shadow Volume Copies
If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.
Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
Information about other malware that are being installed with Cryptolocker.
When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:
Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.
How to determine which computer is infected with CryptoLocker on a network
On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.
You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.
10-15-2013 06:18 PM
Trojan.Ransomcrypt.F But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.
Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx (xxxx = letters for the variant I would say).
10-16-2013 12:54 AM
You can also use Shadow Explorer to look for indivual persoanl files inside the folders like in the screenshot above. So if you know the file(s) one by one that you are looking for you can then go about finding each file to restore instead of the whole folder. Takes longer, but that way you can just target the files wanted to retreive, whether a document, video, music, picture etc.
10-23-2013 11:15 AM - edited 10-23-2013 11:21 AM
Thought I'd share these as well:
Removal and recovery:
(orginal link: fooli**bleep**.com/vb6-projects/cryptoprevent/ bot it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)
10-23-2013 12:00 PM
thank u...i did a download of the 2013 uniblue driver scanner then i did a windows search with this
nomenclature and when found deleted. went back to the control panel and removed any uniblue found.
10-23-2013 06:42 PM - edited 10-23-2013 06:44 PM
Microsoft's Nanny mode moonlights here with that kind of messing but one way of defeating it for a good purpose is by eg adding spaces that are obvious and can be removed by the user. This has the advantage of preventing inadvertant clicking activating a link especially one to an exe file (Such links are forbidden by Forum rules anyway and are removed by moderators).
(orginal link: foolis h i t.com/vb6-projects/cryptoprevent/ but it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)
I dislike those shorteners because they can be an easy way to hide something dangerous and the browser Status Bar does not decode them as it does other links.