cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Cryptolocker

Jump to solution

Hi All, got this little beauty yesterday. The current patch doesn't get rid of it completely. Has anybody got any clues for me? At the moment I only have two victims to cope with, but as there's another 70-odd possibles I'd really like to get on top of this. Especially as they're all barristers/QC's. Thoughts? Thanks in advance, Nige

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 20 of 20

Re: Cryptolocker

Jump to solution

Good news for anyone who still has files which were encrypted by Cryptolocker and was keeping them in hope of a solution being found.

A solution has been found!  When Gameover/Zeus was taken down it also crippled the Cryptolocker operation. The gang running it tried to copy their database to a new server but the researchers managed to grab it, or a copy of it, including all the encryption keys.

So your files can now be decrypted if you send in one encrypted file.

The details are in many stories all over the web : I picked it up first from a BBC report, which has details and a link to the site where you can get the decryption key.

Ex_Brit has also posted (without the background) a link to that site, but it helps to read the story.

BBC news report : BBC News - Cryptolocker victims to get files back for free

Ex_Brit's link :

View solution in original post

19 Replies
Highlighted

Re: Cryptolocker

Jump to solution

I moved this from Community Interface help to Malware Discussions > Corporate User Assistance as that is where I think it belongs for better support.

There's a very reliable source of information on this here:  http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/  see also the link in that first post.

In my case when/if these strike I immediately power off, reboot to Safe Mode and start System Restore.

See also the last link in my signature below.

Message was edited by: Ex_Brit on 09/10/13 11:05:02 EDT AM
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 20

Re: Cryptolocker

Jump to solution

Hi Nige,

The offical Threat Advisory from McAfee for Cryptolocker/Crilock.A is as follows:

Threat Advisory: Ransom Cryptolocker

http://kc.mcafee.com/corporate/index?page=content&id=PD24786

Cheers!

Message was edited by: ianl on 10/13/13 9:01:24 PM CDT

Message was edited by: ianl (Corrected Typos) on 10/13/13 9:03:41 PM CDT
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 20

Re: Cryptolocker

Jump to solution

techrumy wrote:

... details about this infection and possible methods of recovering

Recovering? You weren't paying attention.

If the malware succeeds in installing itself and establishing a connection with a remote C&C server it encrypts a range of file types using a 256-bit encryption key. That key - needed to decrypt the files - is itself encrypted using RSA and is passed back to the C&C server. The private key is unknowable (unless you've got NSA-scale processing capabilities), and the files are unrecoverable without the private key.

The best recovery method is to have a full and recent file system backup available. Some people would say wipe and format the disk and re-image the system. This should be followed by a full investigation into how the malware attack was allowed to be successful (and then by prompt action in every area where security is shown to be deficient).

There is usually a fixed period of time (72 hours) in which to pay the ransom demanded, after which the decryption key is supposedly deleted.  However, paying a ransom to the Cryptolocker blackmailers does not guarantee that any key provided for decryption will work. Sometimes it does; sometimes not.

Moral  :  don't allow any part of a corporate network to get infected. Unpatched endpoints and email attachments would seem to be a company's vulnerable areas.

CryptoLocker currently has the following infection vectors:

  • This infection was originally spread sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
  • Currently dropped by Zbot infections disguised as PDF attachments
  • Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
  • Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
Highlighted
Level 7
Report Inappropriate Content
Message 6 of 20

Re: Cryptolocker

Jump to solution

We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.

http://omnispear.com/tools/cryptolocker-scan-tool

Highlighted
Level 7
Report Inappropriate Content
Message 7 of 20

Re: Cryptolocker

Jump to solution

Why would anyone want to download a "tool" from a member with just 1 post and joined less then 2 weeks ago.

NO one should ever download a fix from a website that is not cleared by the owners of that website.

Highlighted

Re: Cryptolocker

Jump to solution

The Mods have deemed it OK...so far.

Highlighted
Level 7
Report Inappropriate Content
Message 9 of 20

Re: Cryptolocker

Jump to solution

Which mods? McAfee or the volunteer mods?

What is McAfee's stand on Cryptolocker? IE what if any version of McAfee prevents an install of cryptolocker?


Are these forums just user2user of does McAfee have offcial staff here?

Message was edited by: locnar on 11/4/13 1:37:42 PM CST
Highlighted

Re: Cryptolocker

Jump to solution

We are volunteers, we are the only Moderators.  McAfee badged people are support staff.

I have no idea what McAfee's stand is against anything...all I know is that no antivirus can offier complete protection.   We've already gone through steps and posted links to help.

I was merely pointing out that we let that post stand as the link therein was not deemed to be any kind of risk.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community