Not what you were looking for? Ask our experts!
Reply
Visitor
scumdog
Posts: 4
Registered: ‎11-04-2011

CryptoLocker

Hi. My office has been decimated by a CryptoLocker attack. Many colleagues who didn't back up important docs have lost them forever. I'm terrified to log onto my work email from home and open any word docs. The office uses Kaspersky AV which obviously was useless in preventing the CryptoLocker attack. Here at home I use NIS 2013 - am I protected against CryptoLocker ?

Bot Obliterator
Quads
Posts: 16,436
Registered: ‎07-21-2008

Re: CryptoLocker

There is just probably quite a few droppers for it out there.

 

 


I have given a program a go.

 

For the files that are encrypted, they cannot be decrypted,  Say good bye to them.

 

But with systems that have the Volume Shadow Copy Service running on their system  from XP up to and including Windows 8,  You can find backups of your personal files from the last date the copy service made copies of your files before you were infected and had your files encrypted. 

 

This means that for XP and Windows 8 systems the Volume Shadow Copy Service  (In Windows 8 it's called File History for the user)  needs to have to be turned on by the user and set to automatic well in advance of the system being infected.   Windows Vista and Windows 7 has the service set to Automatic by default.   But not in XP and Windows 8.

 

Once the Ransomware is broken and removed another program allows the user to manually look though dates in the Volume Shadow Copy to find each file and to then copy them.   

 

The user may still loose files due any gap between the last Volume Shadow Copy date and the infection time, meaning some files were not backed up in the Volume Shadow Copy,  So they are gone.

 

Quads

Bot Obliterator
Quads
Posts: 16,436
Registered: ‎07-21-2008

Re: CryptoLocker

The last message said I tried a program for the Shadow Copy etc.

 

Part of the Bleeping instructions which gives the program below which gives you the ability to find the backups of just the encrypted files.,

 

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.


Are there any tools that can be used to decrypt the encrypted files?

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through theShadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.


How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

hxxp://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.


How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

shadow-explorer.jpg

To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.


Information about other malware that are being installed with Cryptolocker.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:


 

HKCU\Software\Microsoft\<random>

Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.


How to determine which computer is infected with CryptoLocker on a network

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.


 

 

Quads

Regular Contributor
Gorg
Posts: 59
Registered: ‎12-11-2008

Re: CryptoLocker

Does NIS 2014 detect and block Cryptolocker?

Bot Obliterator
Quads
Posts: 16,436
Registered: ‎07-21-2008

Re: CryptoLocker

Trojan.Ransomcrypt.F   But as I said there is probably a lot of droppers out there and all it takes is one to get though now and then.

 

Kaspersky calls it Trojan-Ransom.Win32.Blocker.xxxx  (xxxx = letters for the variant I would say).

 

 

Quads

F4E
Posts: 2,780
Kudos: 540
Solutions: 115
Registered: ‎05-23-2009

Re: CryptoLocker

Also, some very interesting information here.....

 

http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

Windows 7 64 Bit Sp1 NIS V 21.2.0.38
Bot Obliterator
Quads
Posts: 16,436
Registered: ‎07-21-2008

Re: CryptoLocker

You can also use Shadow Explorer to look for indivual persoanl files inside the folders like in the screenshot above.  So if you know the file(s) one by one that you are looking for you can then  go about finding each file to restore instead of the whole folder.  Takes longer, but that way you can just target the files wanted to retreive, whether a document, video, music, picture etc.

 

Quads

Contributor
AdamW
Posts: 22
Registered: ‎07-02-2011

Re: CryptoLocker

[ Edited ]

Thought I'd share these as well:

 

Removal and recovery:

 

http://deletemalware.blogspot.com/2013/10/remove-cryptolocker-virus-and-restore.html

 

Prevention:

 

http://goo.gl/LlAiY5

 

(orginal link: fooli**bleep**.com/vb6-projects/cryptoprevent/ bot it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)

 

Cheers!

Visitor
keepemout
Posts: 1
Registered: ‎10-23-2013

Re: CryptoLocker

thank u...i did a download of the 2013 uniblue driver scanner then i did a windows search with this

 

nomenclature and when found deleted. went back to the control panel and removed any uniblue found. 

huwyngr
Posts: 20,994
Topics: 1,001
Kudos: 2,717
Solutions: 368
Registered: ‎04-13-2008

Re: CryptoLocker

[ Edited ]

Adam,

 

Microsoft's Nanny mode moonlights here with that kind of messing but one way of defeating it for a good purpose is by eg adding spaces that are obvious and can be removed by the user. This has the advantage of preventing inadvertant clicking activating a link especially one to an exe file (Such links are forbidden by Forum rules anyway and are removed by moderators).

 

(orginal link: foolis h i t.com/vb6-projects/cryptoprevent/ but it got *bleep* automatically because of a bad word I guess, so I'm using Google shortener instead)

 

I dislike those shorteners because they can be an easy way to hide something dangerous and the browser Status Bar does not decode them as it does other links.



Hugh