8 Replies Latest reply on Sep 28, 2014 11:04 AM by cohbraz

    Cryptolocker - Solution?

    eunosis

      I run a small business from home and consider myself a competant user of applications (but with zero ability on the technical side). Yesterday my laptop was infected through an email, with the Cryptolocker ransomware virus.

       

      Having spoken to Mcafee techmaster support, it seems there is nothing they can do to help. They have known about this virus / malware for months yet have no solution,. Their advice is to take it to a local pc dealer and get them to sort it out.

       

      The local dealer (whom I have used to set up home office system) will need to keep my machine for at least a day - a day for my business where I have no alternative means of accessing corporate emails.

       

      Can anyone explain how Macafee have allowed this to happen (and yes, I know there are hundreds, maybe thousands of new attacks every day). Surely with all their expertise it cannot be beyond the capability of their operation to provide a solution.

       

      Also, I do not have the confidence to start going into Safemode and deleting files as other posts suggest - as I said, I am a user, not a techy.

       

      Regards, from a frustrated small businessman trying to make a living.

        • 1. Re: Cryptolocker - Solution?
          Peter M

          Moved to Malware Discussions > Home User Assistance.

           

          Have you tried initiating System Restore in Safe Mode to go back to before all this started?

           

          If you've read the other threads then you'll know that no A/V can stop these things.  It's the way they work, involving user interaction, no matter how trivial such as a mouse click or a key stroke, to activate.

           

          There is a definitive guide here:  http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-informatio n

           

          Note the blue box lower down with a link to the thread on that infection where you may be able to get some help.

           

          McAfee are aware of these things and in fact have a tool that catches some but the trouble is that variants appear constantly.

           

          See Stinger in the last link in my signature below.   It wont decrypt files however, that's where BleepingComputer forums may be of help.

           

          Message was edited by: Ex_Brit on 07/11/13 8:24:42 EST AM
          • 2. Re: Cryptolocker - Solution?
            jonathansc

            Or just that McAfee was 'asleep' when Cryptolocker went wild. Kaspersky claim their user are protected. For me McAfee did not even detect it so despite running a full system scan as Admin user it did not detect it.

             

            http://blog.kaspersky.co.uk/cryptolocker-is-bad-news/

             

            Accepting McAfee cannot decrypt the files, what version & build of secuity centre is needed to clear all remnants of the Trojan?

            • 3. Re: Cryptolocker - Solution?
              Peter M

              Nothing legitimate can decrypt the files and if Kaspersky claims that, they can stop these things then great for them, but personally I doubt it.   No antivirus detects all of these things nor can they deal with all of them.   I already posted a great guide for their removal.    The whole point of this is to avoid getting them in the first place by being ultra careful and , if disaster strikes, immediately shut down the computer and hope that a reboot into Safe Mode will allow System Restore to be deployed.

               

               

               

               

              .

               

              Message was edited by: Ex_Brit on 24/12/13 3:43:45 EST PM
              • 4. Re: Cryptolocker - Solution?
                Hayton

                From that Kaspersky blog, here is the actual claim :

                 

                Users of Kaspersky Internet Security are protected against all current modifications of CryptoLocker, preventing it from executing on their systems.

                 

                Note that last bit, "preventing it from executing on their systems". It is indeed possible to lock down some operating systems using Windows' own built-in Software Restriction Policies. Enterprise versions of anti-virus software have many more features than the Consumer versions, and businesses in general are better-placed to take advantage of Windows' capabilities, but an educated and competent home user with Windows Vista or later (not, I think, XP) should be able to use these policies to prevent CryptoLocker from installing its executables anywhere other than the Program Files Directory/folder. The drawback is that these restrictions will almost certainly prevent other, legitimate, programs from executing. This will require a certain amount of tinkering with the policies to ensure that those programs can be whitelisted. It may also be necessary to go into the registry and change certain settings.

                 

                There is a program (which I cannot at this stage recommend, since I know of no-one who has used it and reported on it) which claims to do all of this work without the user needing to understand details of the registry or operating system. Later I may be able to recommend it, but at this stage if anyone discovers it and wishes to use it all I will say is, At Your Own Risk.

                 

                 

                As for McAfee being unable to detect CryptoLocker, I think the poster should read a little about how this ransomware is spread, how it gets downloaded, and how it evades detection. The downloader is almost always a Trojan, so the user invites it in and allows it to run by the simple expedient of clicking on a link in an email without bothering to check whether the link is to the site it appears to lead to. The links are in spam emails pumped out by the Cutwail botnet, and once the downloader is activated the latest versions establish a link to a remote server over SSL and evade detection by installed anti-virus software. That's it in brief : there are full details in a couple of reports from Dell SecureWorks which I summarise and link to in

                "Cryptolocker - Prevention, Recovery, and FAQ"

                 

                Message was edited by: Hayton on 27/12/13 13:33:29 GMT
                • 5. Re: Cryptolocker - Solution?
                  Hayton

                  Good news for anyone who still has files which were encrypted by Cryptolocker and was keeping them in hope of a solution being found.

                   

                  A solution has been found!  When Gameover/Zeus was taken down it also crippled the Cryptolocker operation. The gang running it tried to copy their database to a new server but the researchers managed to grab it, or a copy of it, including all the encryption keys.

                   

                  So your files can now be decrypted if you send in one encrypted file.

                   

                  The details are in many stories all over the web : I picked it up first from a BBC report, which has details and a link to the site where you can get the decryption key.

                   

                  Ex_Brit has also posted (without the background) a link to that site, but it helps to read the story.

                   

                  BBC news report : BBC News - Cryptolocker victims to get files back for free

                  Ex_Brit's link : Cryptolocker - Free Ransomware Decryption Tool Released

                  • 6. Re: Cryptolocker - Solution?
                    Peter M

                    I added you link to it, thanks Hayton ;-)

                    • 7. Re: Cryptolocker - Solution?
                      catdaddy

                      Great info Guys !!!! Just noticed it....

                      • 8. Re: Cryptolocker - Solution?
                        cohbraz

                        Thank you for the information and the links! You can be sure though, this type of infection will continue to evolve and pose problems.