Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Endpoint Protection => Topic started by: joealbergo on September 16, 2013, 10:40:39 PM

Title: CryptoLocker
Post by: joealbergo on September 16, 2013, 10:40:39 PM
Somehow this "CrytpoLocker" has sneaked passed Avast and has infected one of my workstations.

Anyone have any ideas on how I can go about removing this?

I did a boot scan with "delete" as the option, however after the scan it still shows up.
Title: Re: CryptoLocker
Post by: wpn on September 18, 2013, 01:16:24 PM
so far i could only find this information
http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware

did you make a backup of the data that is encrypted right now? if not, there is very little chance of recovering from what i find right nnow
Title: Re: CryptoLocker
Post by: Loominal on September 19, 2013, 09:35:20 PM
We too got hit with this crypto ransomware.   It infects the PC's and encrypts the hardware with such a hard encryption that it can't be decrypted by anything right now. There's good and bad news..

The Good news is, you can still get your files by 1 of 2 ways..
1.) making sure you have system restore points you can use a piece of software called GhostExplorer which will essentially take a ghost image from a system restore and restore your files to then. *you will need to back up the crucial files/ docs/ emails* THEN i would suggest reformatting the PC and starting from scratch.
2.) OR you can pay them the $300.00 (which is what we did, cause we did not have restore points active) and then they will give you a private key to insert within the time requested and they will decrypt the files and release your pc back. once it's done decrypting your files back, it will uninstall invisibly and remove itself form the PC.. Again back up your files and (esp the email in appdata) and reformat your PC.

Currently there is nothing on the market that is blocking this ransomware. IT's nasty and even has gotten senators and state representatives. They have then put a investigation out to the FBI.  I'm told (from what i read) that there is a chance if your infected and PAY.... FBI could contact you and will need to help the best that you can.

the BAD news is.. if you don't have $300.00 or system restore turned on.. OR you wait till after the timer... your screwed.. you lost all your data and can never get it back. The software will delete the secure Private key that it encrypted your files with off their server and there will be no way for you to get it back.

From what i've read these guys started with Version 1.0 which charged people $100.00 and have since grown exponentially and have created 2.0.  This version charges $300 through a Green Money Card you buy at your local gas station.  It's supposedly untraceable.  They make approx 300k+ per month with this scam and it has grown into what we would call a "small buisness".   They do apparently always comply when you call them and are really nice to talk to on the phone.. which is extremely odd since they are scamming you.   They tell you on the phone that it's a service they provide to let you know how vulnerable you really are.. and they will legitimately give you back all your files. (which they really do, oddly enough you can trust them with that).

They say the best way to prevent this, is to have your PC's on a domain and there is a domain RULE that you can setup when the PC starts that will stop files that are unexpected to run.  I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this is the only way to prevent this from happening.

MOST of these scams that people get infected with DO come into a PC via email labeled from USPS or some other supposedly reliable source. but instead it infects the users pc and starts encrypting files. Also if your PC is on a network and connected to network drive (on a server) it will grab that Hard drive also and encrypt the whole server. Which is basically what happened to us.. Which is why we paid to have it released.   I hate doing it.. but it is.. what it is... and they got us... it sucks..

hope this info helps you or someone!
Title: Re: CryptoLocker
Post by: nannunannu on September 20, 2013, 11:21:23 PM
...

They say the best way to prevent this, is to have your PC's on a domain and there is a domain RULE that you can setup when the PC starts that will stop files that are unexpected to run.  I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this is the only way to prevent this from happening.

...

hope this info helps you or someone!

Thanks for the detailed info.  Re:  The SRP policy settings, in case someone finds this searching for info - these are a couple good articles to get someone started:

http://blog.windowsnt.lv/2011/06/01/preventing-malware-with-srp-english/
http://technet.microsoft.com/en-us/library/bb457006.aspx
Title: Re: CryptoLocker
Post by: joealbergo on September 23, 2013, 07:03:24 PM
Appreciate everyone's responses.
It turns out that on a network environment the Crpytolocker was only able to attack what was locally on the desktop.

I believe with the roaming profiles on the network, that everything else was untouched.

After checking the registry, I only saw about 8 files on the desktop (nothing important)

My users are instructed to keep all important work in their "My Documents" work directory.

My question now is how did it get passed Avast?

Thanks again everyone for your responses.

Cheers !
Title: Re: CryptoLocker
Post by: wpn on September 25, 2013, 04:00:42 PM
@Loominal
System restore point is not a REAL option. It keeps the files encrypted, it only restores to a point where the files of the malware was not present on the system. The ghostexplorer only works IF you have shadowcopy functionality and have it turned on.
SO:  IF you do not have the shadowcopy turned on and you do a system restore, the files are lost, paying for the decryption after a system restore is not possible anymore.

The only good possible way to prevent dataloss is to have a BACKUP on a disk/tape which can regress for a couple of days till before the infection.



@joealbergo
Great to hear its unimportant files that are lost, just to be sure tho i would check the whole data structure for encrypted files.

About Avast missing it:
if the malware is really new and not found yet in the wild and analysed by the viruslabs (avast, mcafee, and all others) then there are no signatures for the scanner to match and hence it will pass the test as clean software.



Title: Re: CryptoLocker
Post by: helmut1 on September 25, 2013, 04:14:38 PM
I need help contacting them, I need to pay the money, but I am not getting the ransum notice any more,

please forward me their phone number, or tell me how to start the Cryptolocker.exe again

my time has not run out, I should have about 40ish hours left


Title: Re: CryptoLocker
Post by: helmut1 on September 25, 2013, 09:05:15 PM
OK - I paid the $300 (2 bitcoins) and after about 30 minutes the programme started to unencrypt the files :)

then it got to a file that a user on the next work replaced, the Cryptolocker said this file may be damaged or used by another process,
Retry Cancel

if I Cancel will it end the whole programme????????
Title: Re: CryptoLocker
Post by: nannunannu on September 25, 2013, 09:08:45 PM
No idea, but I'd try copying one of the other files that is later in the list over the one that is "lost" at this point...  then hitting retry...  The other file should still be encrypted using the private key, and should decrypt just fine (even though it isn't the original file with that file name, in that path)...  I doubt they are doing a checksum or anything to verify that the original file is actually restored.
Title: Re: CryptoLocker
Post by: helmut1 on September 25, 2013, 10:25:30 PM
thank you, very good idea :),
but I didn't try it, I went ahead and clicked Cancel, and the programme then continued down the list,

Title: Re: CryptoLocker
Post by: Loominal on September 26, 2013, 04:02:34 PM
don't forget to do a backup of your personal files.. then reformat the machine!!!!!!! reinstall the OS on it.
Title: Re: CryptoLocker
Post by: REDACTED on October 01, 2013, 06:41:06 PM
Got the virus on the server yesterday.  Was not sure but paid the $300.  Waited 12 hours before decrypt started.   Files are being decrypted now.  Expect to be done in 4 to 6 hours.  Have had several temp corrupted files but cancel button got by them.  Real scary because backup was corrupted. 
Title: Re: CryptoLocker
Post by: Arnold72 on October 01, 2013, 07:31:38 PM
I think programs like online armor and comodo internet security would stop this successfully.
This seems to show a weakness in the avast zero-day component.
Title: Re: CryptoLocker
Post by: .: Mac :. on October 09, 2013, 01:35:06 PM
I think programs like online armor and comodo internet security would stop this successfully.
This seems to show a weakness in the avast zero-day component.

I dont think so. In September we had this get by avast and it encrypted an entire network folder (Mapped Drive).  This customer had a Gateway Web Filter that also scanned for malware and a Email Filter and it bypassed all three.
Title: Re: CryptoLocker
Post by: Arnold72 on October 09, 2013, 05:08:08 PM
Thank you for the info.
However would a HIPS software stop this?

Has anyone tried it.
Title: Re: CryptoLocker
Post by: techlike99 on October 17, 2013, 06:18:05 PM
I'm dealing with this ransomware for a client. I know that Avast already referenced this infection as Win32:Ransom-AQH [Trj], however, the infection on his PC is fresh and somehow managed to bypass Avast guard. I've restored some of the files using Shadow Explorer. For now, it seems the only possible solution, so it saved the day! For those who have the same issue I recommend reading these posts:

http://deletemalware.blogspot.com/2013/10/remove-cryptolocker-virus-and-restore.html

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

And also a thread on reddit: http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/
Title: Re: CryptoLocker
Post by: .: Mac :. on October 18, 2013, 01:03:10 AM
I'm dealing with this ransomware for a client. I know that Avast already referenced this infection as Win32:Ransom-AQH [Trj], however, the infection on his PC is fresh and somehow managed to bypass Avast guard. I've restored some of the files using Shadow Explorer. For now, it seems the only possible solution, so it saved the day! For those who have the same issue I recommend reading these posts:

http://deletemalware.blogspot.com/2013/10/remove-cryptolocker-virus-and-restore.html

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

And also a thread on reddit: http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/

If you have the malware exe file (usually not hard to find on the system) you can add it to the virus chest and send it in so the lab can add to the database. Or send to virus (at) avast.com  even though you were able to restore your files it might save someone else some headache
Title: Re: CryptoLocker
Post by: avast@@dvantage77.com on October 23, 2013, 12:11:49 AM
avast! stops most versions, but there are new zero day constantly being released.  New updates to CryptoLocker including "CryptoPrevent" free utility!

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://www.foolishit.com/download/cryptoprevent/
Title: Re: CryptoLocker
Post by: canetree on October 23, 2013, 02:17:06 AM
Man, this is some nasty stuff. Glad I've been using Macs. Nothing like this out there on OSX as far as I know...
Title: Re: CryptoLocker
Post by: Amgeek on October 31, 2013, 03:25:09 PM
There we go, everyone run out and drop thousands on a Mac to avoid a $300 loss.

Brilliant, what a deal!!!!!

Glad to see you mentioning the Foolishit  free preventitive, well worth watching.

http://www.foolishit.com/posts/cryptolocker-prevention/

For a few dollars more Malwarebytes pro may also offer some hope.


http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

Let's catch these bastards.




Title: Re: CryptoLocker
Post by: canetree on October 31, 2013, 05:03:02 PM
Now now, let's not be hasty. Macs start at $599 for a pretty decent machine, not thousands. As someone who's been building and using PCs since the first IBM PC came out in 1981 and currently have 13 different computers in my work cubicle, I'm going go out on a limb here and say for the average user, Macs are a better machine. The lack of malware is one of many reasons why I recommend them unless you need some customized configuration for gaming or MS based server services.
Title: Re: CryptoLocker
Post by: nannunannu on October 31, 2013, 05:15:28 PM
Or you could just use OpenDNS...
Title: Re: CryptoLocker
Post by: Amgeek on October 31, 2013, 05:26:27 PM
I do use open DNS but how would that help (document?)?

Title: Re: CryptoLocker
Post by: nannunannu on October 31, 2013, 05:30:34 PM
They've been doing predictive analysis to redirect/block requests to malicious domains...  Blogged about their efforts against cryptolocker about a month ago:

http://labs.umbrella.com/2013/09/25/ripple-effect/

Not perfect, but another layer of protection...

Edit:  I guess I should mention that they've had a low trust thing for a long time against random character domains (that are at least now a common method of hosting malicious code)...  So if one of these domains suddenly shows up on a heat map it gets noticed and blocked quickly.  Again, not perfect, but another layer...
Title: Re: CryptoLocker
Post by: Amgeek on October 31, 2013, 05:32:03 PM
Thanks
Title: Re: CryptoLocker
Post by: Arnold72 on October 31, 2013, 06:52:58 PM
A nice clean image on an unconnected external HDD is always handy in these situations.
Title: Re: CryptoLocker
Post by: crocodilo69 on November 05, 2013, 06:45:17 AM
Hi All,

Does anyone on here use Avast EndPoint Protection Plus (version 8)?

Apparently there is a tool in Avast called 'Avast Rescue Disk'. This is apparently something you can do BEFORE infection to have a rescue disk in place.

Anyone know if Avast plan on pushing this out to all their products in a future update? Sooner rather than later.?

Would be a useful feature to have.

Good luck to all those having issues with this nasty infection.

FYI: There is also apparently a free tool called 'CryptoPrevent' http://www.foolishit.com/vb6-projects/cryptoprevent/ (http://www.foolishit.com/vb6-projects/cryptoprevent/)
Title: Re: CryptoLocker
Post by: timnboys on December 15, 2013, 10:47:08 PM
So avast! will stop cryptolocker right? I mean that is why avast included streaming cloud updates right? to stop zero day malware like cryptolocker right?
Please tell me avast! will stop zero day malware like cryptolocker and other malware, because I was considering to buy avast! endpoint protection plus to centrally manage pc's
but I don't know if I want to buy it if you cannot stop zero day malware, that has never been in the wild, I mean isn't that why avast started having a behavior shield and other features that now detects it without having to have a signature right? Please tell me if you could offer me a discount on avast! endpoint protection plus so that I could afford to put it on my pc. And please tell me if I can get a discount to buy the avast endpoint protection plus, could you please tell me whether this will block viruses like cryptolocker and other zero day threats? And also when you buy endpoint protection plus do you get a license file? like in the home editions?
Or do you get something else? because I would prefer a license file if possible.
Title: Re: CryptoLocker
Post by: geoffwhite on May 08, 2014, 03:04:47 PM
I'm a journalist working on a malware story that takes in Cryptolocker - keen to speak to people who've been hit, if anyone would like to get in touch: geoff.white@itn.co.uk

Thanks.