Author Topic: CryptoLocker  (Read 17800 times)

Offline joealbergo

  • Jr. Member
  • **
  • Posts: 79
    • Personal Message (Offline)
CryptoLocker
« on: September 16, 2013, 08:40:39 PM »
Somehow this "CrytpoLocker" has sneaked passed Avast and has infected one of my workstations.

Anyone have any ideas on how I can go about removing this?

I did a boot scan with "delete" as the option, however after the scan it still shows up.

Offline wpn

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1443
  • Gender: Male
  • If it ain't broke, fix it! ;)
    • Bevolkingsonderzoek Zuid-West
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #1 on: September 18, 2013, 11:16:24 AM »
so far i could only find this information
http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware

did you make a backup of the data that is encrypted right now? if not, there is very little chance of recovering from what i find right nnow

Offline Loominal

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #2 on: September 19, 2013, 07:35:20 PM »
We too got hit with this crypto ransomware.   It infects the PC's and encrypts the hardware with such a hard encryption that it can't be decrypted by anything right now. There's good and bad news..

The Good news is, you can still get your files by 1 of 2 ways..
1.) making sure you have system restore points you can use a piece of software called GhostExplorer which will essentially take a ghost image from a system restore and restore your files to then. *you will need to back up the crucial files/ docs/ emails* THEN i would suggest reformatting the PC and starting from scratch.
2.) OR you can pay them the $300.00 (which is what we did, cause we did not have restore points active) and then they will give you a private key to insert within the time requested and they will decrypt the files and release your pc back. once it's done decrypting your files back, it will uninstall invisibly and remove itself form the PC.. Again back up your files and (esp the email in appdata) and reformat your PC.

Currently there is nothing on the market that is blocking this ransomware. IT's nasty and even has gotten senators and state representatives. They have then put a investigation out to the FBI.  I'm told (from what i read) that there is a chance if your infected and PAY.... FBI could contact you and will need to help the best that you can.

the BAD news is.. if you don't have $300.00 or system restore turned on.. OR you wait till after the timer... your screwed.. you lost all your data and can never get it back. The software will delete the secure Private key that it encrypted your files with off their server and there will be no way for you to get it back.

From what i've read these guys started with Version 1.0 which charged people $100.00 and have since grown exponentially and have created 2.0.  This version charges $300 through a Green Money Card you buy at your local gas station.  It's supposedly untraceable.  They make approx 300k+ per month with this scam and it has grown into what we would call a "small buisness".   They do apparently always comply when you call them and are really nice to talk to on the phone.. which is extremely odd since they are scamming you.   They tell you on the phone that it's a service they provide to let you know how vulnerable you really are.. and they will legitimately give you back all your files. (which they really do, oddly enough you can trust them with that).

They say the best way to prevent this, is to have your PC's on a domain and there is a domain RULE that you can setup when the PC starts that will stop files that are unexpected to run.  I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this is the only way to prevent this from happening.

MOST of these scams that people get infected with DO come into a PC via email labeled from USPS or some other supposedly reliable source. but instead it infects the users pc and starts encrypting files. Also if your PC is on a network and connected to network drive (on a server) it will grab that Hard drive also and encrypt the whole server. Which is basically what happened to us.. Which is why we paid to have it released.   I hate doing it.. but it is.. what it is... and they got us... it sucks..

hope this info helps you or someone!

Offline nannunannu

  • Full Member
  • ***
  • Posts: 168
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #3 on: September 20, 2013, 09:21:23 PM »
...

They say the best way to prevent this, is to have your PC's on a domain and there is a domain RULE that you can setup when the PC starts that will stop files that are unexpected to run.  I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this is the only way to prevent this from happening.

...

hope this info helps you or someone!

Thanks for the detailed info.  Re:  The SRP policy settings, in case someone finds this searching for info - these are a couple good articles to get someone started:

http://blog.windowsnt.lv/2011/06/01/preventing-malware-with-srp-english/
http://technet.microsoft.com/en-us/library/bb457006.aspx

Offline joealbergo

  • Jr. Member
  • **
  • Posts: 79
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #4 on: September 23, 2013, 05:03:24 PM »
Appreciate everyone's responses.
It turns out that on a network environment the Crpytolocker was only able to attack what was locally on the desktop.

I believe with the roaming profiles on the network, that everything else was untouched.

After checking the registry, I only saw about 8 files on the desktop (nothing important)

My users are instructed to keep all important work in their "My Documents" work directory.

My question now is how did it get passed Avast?

Thanks again everyone for your responses.

Cheers !

Offline wpn

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1443
  • Gender: Male
  • If it ain't broke, fix it! ;)
    • Bevolkingsonderzoek Zuid-West
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #5 on: September 25, 2013, 02:00:42 PM »
@Loominal
System restore point is not a REAL option. It keeps the files encrypted, it only restores to a point where the files of the malware was not present on the system. The ghostexplorer only works IF you have shadowcopy functionality and have it turned on.
SO:  IF you do not have the shadowcopy turned on and you do a system restore, the files are lost, paying for the decryption after a system restore is not possible anymore.

The only good possible way to prevent dataloss is to have a BACKUP on a disk/tape which can regress for a couple of days till before the infection.



@joealbergo
Great to hear its unimportant files that are lost, just to be sure tho i would check the whole data structure for encrypted files.

About Avast missing it:
if the malware is really new and not found yet in the wild and analysed by the viruslabs (avast, mcafee, and all others) then there are no signatures for the scanner to match and hence it will pass the test as clean software.




Offline helmut1

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #6 on: September 25, 2013, 02:14:38 PM »
I need help contacting them, I need to pay the money, but I am not getting the ransum notice any more,

please forward me their phone number, or tell me how to start the Cryptolocker.exe again

my time has not run out, I should have about 40ish hours left



Offline helmut1

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #7 on: September 25, 2013, 07:05:15 PM »
OK - I paid the $300 (2 bitcoins) and after about 30 minutes the programme started to unencrypt the files :)

then it got to a file that a user on the next work replaced, the Cryptolocker said this file may be damaged or used by another process,
Retry Cancel

if I Cancel will it end the whole programme????????

Offline nannunannu

  • Full Member
  • ***
  • Posts: 168
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #8 on: September 25, 2013, 07:08:45 PM »
No idea, but I'd try copying one of the other files that is later in the list over the one that is "lost" at this point...  then hitting retry...  The other file should still be encrypted using the private key, and should decrypt just fine (even though it isn't the original file with that file name, in that path)...  I doubt they are doing a checksum or anything to verify that the original file is actually restored.

Offline helmut1

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #9 on: September 25, 2013, 08:25:30 PM »
thank you, very good idea :),
but I didn't try it, I went ahead and clicked Cancel, and the programme then continued down the list,


Offline Loominal

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #10 on: September 26, 2013, 02:02:34 PM »
don't forget to do a backup of your personal files.. then reformat the machine!!!!!!! reinstall the OS on it.

Offline wrg

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #11 on: October 01, 2013, 04:41:06 PM »
Got the virus on the server yesterday.  Was not sure but paid the $300.  Waited 12 hours before decrypt started.   Files are being decrypted now.  Expect to be done in 4 to 6 hours.  Have had several temp corrupted files but cancel button got by them.  Real scary because backup was corrupted. 

Offline Arnold72

  • Poster
  • *
  • Posts: 501
  • Gender: Male
  • RIP.Jay "padre" Miner.(May 31, 1932 – June 20, 19
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #12 on: October 01, 2013, 05:31:38 PM »
I think programs like online armor and comodo internet security would stop this successfully.
This seems to show a weakness in the avast zero-day component.
Avast Free V9.0.2006.||Comodo Firewall 6.3||Sandboxie.||SUA.||Firefox Web Browser.

Offline .: Mac :.

  • avast! Überevangelist
  • Ultra Poster
  • *****
  • Posts: 4599
  • Gender: Male
    • Championship Networks
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #13 on: October 09, 2013, 11:35:06 AM »
I think programs like online armor and comodo internet security would stop this successfully.
This seems to show a weakness in the avast zero-day component.

I dont think so. In September we had this get by avast and it encrypted an entire network folder (Mapped Drive).  This customer had a Gateway Web Filter that also scanned for malware and a Email Filter and it bypassed all three.
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Arnold72

  • Poster
  • *
  • Posts: 501
  • Gender: Male
  • RIP.Jay "padre" Miner.(May 31, 1932 – June 20, 19
    • Personal Message (Offline)
Re: CryptoLocker
« Reply #14 on: October 09, 2013, 03:08:08 PM »
Thank you for the info.
However would a HIPS software stop this?

Has anyone tried it.
Avast Free V9.0.2006.||Comodo Firewall 6.3||Sandboxie.||SUA.||Firefox Web Browser.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now