1 of 1 people found this helpful
I moved this from Community Interface help to Malware Discussions > Corporate User Assistance as that is where I think it belongs for better support.
There's a very reliable source of information on this here: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/ see also the link in that first post.
In my case when/if these strike I immediately power off, reboot to Safe Mode and start System Restore.
See also the last link in my signature below.
The offical Threat Advisory from McAfee for Cryptolocker/Crilock.A is as follows:
Threat Advisory: Ransom Cryptolocker
Message was edited by: ianl on 10/13/13 9:01:24 PM CDT
I thought these might be helpful as well; some more details about this infection and possible methods of recovering:
... details about this infection and possible methods of recovering
Recovering? You weren't paying attention.
If the malware succeeds in installing itself and establishing a connection with a remote C&C server it encrypts a range of file types using a 256-bit encryption key. That key - needed to decrypt the files - is itself encrypted using RSA and is passed back to the C&C server. The private key is unknowable (unless you've got NSA-scale processing capabilities), and the files are unrecoverable without the private key.
The best recovery method is to have a full and recent file system backup available. Some people would say wipe and format the disk and re-image the system. This should be followed by a full investigation into how the malware attack was allowed to be successful (and then by prompt action in every area where security is shown to be deficient).
There is usually a fixed period of time (72 hours) in which to pay the ransom demanded, after which the decryption key is supposedly deleted. However, paying a ransom to the Cryptolocker blackmailers does not guarantee that any key provided for decryption will work. Sometimes it does; sometimes not.
Moral : don't allow any part of a corporate network to get infected. Unpatched endpoints and email attachments would seem to be a company's vulnerable areas.
CryptoLocker currently has the following infection vectors:
- This infection was originally spread sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
- Currently dropped by Zbot infections disguised as PDF attachments
- Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
- Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.
The following advice comes from a Computerworld article -
It does not apply to Windows XP.
Mitigation: Previous versions (shadow copies) and ShadowExplorer
If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation strategies available to you. (Of course, you can always restore from backups as well.) Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows. This is turned on by default in client versions of Windows, and best practices for storage administration have you turning this on manually on Windows Server-based file servers. If you have left this setting alone, you likely have backups right on your computer or file share.
To restore the previous version of a file using the traditional Windows interface, just right-click the file in question and choose Properties. If System Restore is enabled or your administrator has enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab in the Properties window. This will list all of the versions on record of the file. Choose a version before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can open the files directly from this box too if you are not sure of the exact date and time of infection.
ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the available shadow copies on your system. This is a useful ability when you have a wide range of files infected with Cryptolocker and need to restore a swath of them at once.
When you install and run the tool, you can select the drive and the shadow copy date and time from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer menu, you can choose the folder and file you want, and then right-click and select Export. Choose the destination on your file system to put the exported shadow copies on, and then you have your backup restored. Of course, this is a previous version, so it may not have the most current updates to your files, but it is much better than having lost them completely or having to pay a ransom for them.
Why would anyone want to download a "tool" from a member with just 1 post and joined less then 2 weeks ago.
NO one should ever download a fix from a website that is not cleared by the owners of that website.
The Mods have deemed it OK...so far.
Which mods? McAfee or the volunteer mods?
What is McAfee's stand on Cryptolocker? IE what if any version of McAfee prevents an install of cryptolocker?
Are these forums just user2user of does McAfee have offcial staff here?