Hi All, got this little beauty yesterday. The current patch doesn't get rid of it completely. Has anybody got any clues for me? At the moment I only have two victims to cope with, but as there's another 70-odd possibles I'd really like to get on top of this. Especially as they're all barristers/QC's. Thoughts? Thanks in advance, Nige
Solved! Go to Solution.
Good news for anyone who still has files which were encrypted by Cryptolocker and was keeping them in hope of a solution being found.
A solution has been found! When Gameover/Zeus was taken down it also crippled the Cryptolocker operation. The gang running it tried to copy their database to a new server but the researchers managed to grab it, or a copy of it, including all the encryption keys.
So your files can now be decrypted if you send in one encrypted file.
The details are in many stories all over the web : I picked it up first from a BBC report, which has details and a link to the site where you can get the decryption key.
Ex_Brit has also posted (without the background) a link to that site, but it helps to read the story.
BBC news report : BBC News - Cryptolocker victims to get files back for free
I moved this from Community Interface help to Malware Discussions > Corporate User Assistance as that is where I think it belongs for better support.
There's a very reliable source of information on this here: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/ see also the link in that first post.
In my case when/if these strike I immediately power off, reboot to Safe Mode and start System Restore.
See also the last link in my signature below.
The offical Threat Advisory from McAfee for Cryptolocker/Crilock.A is as follows:
Threat Advisory: Ransom Cryptolocker
Message was edited by: ianl on 10/13/13 9:01:24 PM CDTMessage was edited by: ianl (Corrected Typos) on 10/13/13 9:03:41 PM CDT
I thought these might be helpful as well; some more details about this infection and possible methods of recovering:
... details about this infection and possible methods of recovering
Recovering? You weren't paying attention.
If the malware succeeds in installing itself and establishing a connection with a remote C&C server it encrypts a range of file types using a 256-bit encryption key. That key - needed to decrypt the files - is itself encrypted using RSA and is passed back to the C&C server. The private key is unknowable (unless you've got NSA-scale processing capabilities), and the files are unrecoverable without the private key.
The best recovery method is to have a full and recent file system backup available. Some people would say wipe and format the disk and re-image the system. This should be followed by a full investigation into how the malware attack was allowed to be successful (and then by prompt action in every area where security is shown to be deficient).
There is usually a fixed period of time (72 hours) in which to pay the ransom demanded, after which the decryption key is supposedly deleted. However, paying a ransom to the Cryptolocker blackmailers does not guarantee that any key provided for decryption will work. Sometimes it does; sometimes not.
Moral : don't allow any part of a corporate network to get infected. Unpatched endpoints and email attachments would seem to be a company's vulnerable areas.
CryptoLocker currently has the following infection vectors:
We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.
Why would anyone want to download a "tool" from a member with just 1 post and joined less then 2 weeks ago.
NO one should ever download a fix from a website that is not cleared by the owners of that website.
Which mods? McAfee or the volunteer mods?
What is McAfee's stand on Cryptolocker? IE what if any version of McAfee prevents an install of cryptolocker?
Message was edited by: locnar on 11/4/13 1:37:42 PM CST
Are these forums just user2user of does McAfee have offcial staff here?
We are volunteers, we are the only Moderators. McAfee badged people are support staff.
I have no idea what McAfee's stand is against anything...all I know is that no antivirus can offier complete protection. We've already gone through steps and posted links to help.
I was merely pointing out that we let that post stand as the link therein was not deemed to be any kind of risk.