1 2 Previous Next 19 Replies Latest reply on Aug 7, 2014 11:03 AM by Hayton

    Cryptolocker

    nrdscrote

      Hi All, got this little beauty yesterday. The current patch doesn't get rid of it completely. Has anybody got any clues for me? At the moment I only have two victims to cope with, but as there's another 70-odd possibles I'd really like to get on top of this. Especially as they're all barristers/QC's. Thoughts? Thanks in advance, Nige

        • 1. Re: Cryptolocker
          Peter M

          I moved this from Community Interface help to Malware Discussions > Corporate User Assistance as that is where I think it belongs for better support.

           

          There's a very reliable source of information on this here:  http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/  see also the link in that first post.

           

          In my case when/if these strike I immediately power off, reboot to Safe Mode and start System Restore.

           

          See also the last link in my signature below.

           

          Message was edited by: Ex_Brit on 09/10/13 11:05:02 EDT AM
          1 of 1 people found this helpful
          • 2. Re: Cryptolocker
            ianl

            Hi Nige,

             

            The offical Threat Advisory from McAfee for Cryptolocker/Crilock.A is as follows:

             

            Threat Advisory: Ransom Cryptolocker

            http://kc.mcafee.com/corporate/index?page=content&id=PD24786

             

            Cheers!

             

            Message was edited by: ianl on 10/13/13 9:01:24 PM CDT

             

            Message was edited by: ianl (Corrected Typos) on 10/13/13 9:03:41 PM CDT
            • 4. Re: Cryptolocker
              Hayton

              techrumy wrote:

               

              ... details about this infection and possible methods of recovering

               

              Recovering? You weren't paying attention.

               

              If the malware succeeds in installing itself and establishing a connection with a remote C&C server it encrypts a range of file types using a 256-bit encryption key. That key - needed to decrypt the files - is itself encrypted using RSA and is passed back to the C&C server. The private key is unknowable (unless you've got NSA-scale processing capabilities), and the files are unrecoverable without the private key.

               

              The best recovery method is to have a full and recent file system backup available. Some people would say wipe and format the disk and re-image the system. This should be followed by a full investigation into how the malware attack was allowed to be successful (and then by prompt action in every area where security is shown to be deficient).

               

              There is usually a fixed period of time (72 hours) in which to pay the ransom demanded, after which the decryption key is supposedly deleted.  However, paying a ransom to the Cryptolocker blackmailers does not guarantee that any key provided for decryption will work. Sometimes it does; sometimes not.

               

              Moral  :  don't allow any part of a corporate network to get infected. Unpatched endpoints and email attachments would seem to be a company's vulnerable areas.

              CryptoLocker currently has the following infection vectors:

              • This infection was originally spread sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
              • Currently dropped by Zbot infections disguised as PDF attachments
              • Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
              • Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
              • 5. Re: Cryptolocker
                bchurby

                We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.

                 

                 

                http://omnispear.com/tools/cryptolocker-scan-tool

                • 6. Re: Cryptolocker
                  Hayton

                  The following advice comes from a Computerworld article -

                  "Cryptolocker: How to avoid getting infected and what to do if you are"

                   

                  It does not apply to Windows XP.

                   

                   

                  Mitigation: Previous versions (shadow copies) and ShadowExplorer

                  If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation strategies available to you. (Of course, you can always restore from backups as well.) Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows. This is turned on by default in client versions of Windows, and best practices for storage administration have you turning this on manually on Windows Server-based file servers. If you have left this setting alone, you likely have backups right on your computer or file share.

                  Previous versions

                  To restore the previous version of a file using the traditional Windows interface, just right-click the file in question and choose Properties. If System Restore is enabled or your administrator has enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab in the Properties window. This will list all of the versions on record of the file. Choose a version before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can open the files directly from this box too if you are not sure of the exact date and time of infection.

                  ShadowExplorer

                  ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the available shadow copies on your system. This is a useful ability when you have a wide range of files infected with Cryptolocker and need to restore a swath of them at once.

                  When you install and run the tool, you can select the drive and the shadow copy date and time from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer menu, you can choose the folder and file you want, and then right-click and select Export. Choose the destination on your file system to put the exported shadow copies on, and then you have your backup restored. Of course, this is a previous version, so it may not have the most current updates to your files, but it is much better than having lost them completely or having to pay a ransom for them.

                  • 7. Re: Cryptolocker
                    locnar

                    Why would anyone want to download a "tool" from a member with just 1 post and joined less then 2 weeks ago.

                     

                    NO one should ever download a fix from a website that is not cleared by the owners of that website.

                    • 8. Re: Cryptolocker
                      Peter M

                      The Mods have deemed it OK...so far.

                      • 9. Re: Cryptolocker
                        locnar

                        Which mods? McAfee or the volunteer mods?

                         

                        What is McAfee's stand on Cryptolocker? IE what if any version of McAfee prevents an install of cryptolocker?

                         

                         


                        Are these forums just user2user of does McAfee have offcial staff here?

                         

                        Message was edited by: locnar on 11/4/13 1:37:42 PM CST
                        1 2 Previous Next