cryptolocker

my clients computers have been infected with cryptolocker. I'm trying to assist them. Any suggestions for removal?

Thanks!
pabrannPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oneononecompCommented:
Use system restore to go back prior to infection.  If unable use malwarebytes, superantispyware and combofix.

www.malwarebytes.org
www.superantispyware.com
www.bleepingcomputer.com\combofix
0
pabrannPresidentAuthor Commented:
This virus has spread through my clients network and all workstations and servers are infected. It has encrypted all pdf, mdb, word, and other documents on all systems. Will these removal tools you suggest restore their files?

Thanks!
0
oneononecompCommented:
My own experience is yes.  You may have to start in safe mode with networking to download these programs.  Do not run them in safe mode.  Disable your AV and AS software before running these scans.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

pabrannPresidentAuthor Commented:
My client has evidently been able to remove the virus but files on their shared network drives are still encrypted.  They have run malwarebytes and combofix, but not superantispyware. They are going to try it now. They are going to copy one of the infected files from a network drive to a disconnected workstation, run the scans and hope it works.

Thanks again!
0
oneononecompCommented:
Now that the virus has been cleaned your client should be able to use sytem restore to get back to a state before infection.  This is the quickest solution.
0
pabrannPresidentAuthor Commented:
They are working with their IT firm to do a restore. Evidently, though, their IT firm is having difficulties and not returning calls. They received a message on their workstation telling them to pay a certain fee by the end of this week. If they pay the fee, a key to fix their files will be sent to them, otherwise the encryption is permanent. This is unbelievable!
0
smckeown777Commented:
I had this on a client network just last week...the only way to get those documents back is a restore from backup...its one of the deadliest virus I've seen in a long time...we restored the servers shares back to a previous backup and got everything working again...

Without that you are in trouble, the virus advertises that if you pay them they will decrypt the files...but I've no clue if this is legit or not. For all we know you could be sending money into a black hole and never see anything
0
wiglackCommented:
0
eddie-fCommented:
I rarely post to questions but I thought I could share a little of what I know about your problem.

Everyone claiming how easy it is to remove the virus is not doing you any favors. This is not a difficult virus to remove. It is the encryption of the files that need to concern people.

I wish I had better news but if your files are already encrypted (they are) then you can restore from backup, pay the ransom within the time remaining in the countdown timer, or if you have Volume Shadow Copy enabled on certain OS's you can recover previous versions from that.

I have been reading a lot of info for the past week on the CryptoLocker or CriLock virus. Here is the best place for a complete discussion of the virus and the options if you are infected:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

Here is what I have found, although I am by no means an expert on it:

1. Seems to be mostly from email attachments, often from FexEx, UPS, Dunn & Bradstreet, etc. The email claims to be about a customer complaint or similar. There are instances that it has also come from hijacked web sites or bad web links in pages.

2. The virus is not very hard to get rid of BUT BEWARE...

3. The files really are encrypted and cannot be decrypted without the public key (attached to the file) and the private key (stored on the "Secret Server" ie the bad guys server).

4. People that have paid the ransom have reported that the files do indeed get decrypted (although it can take 5+ hours for the program to begin the automated decryption) and then the virus even uninstalls itself (how nice of them). They require payment by GreenDot Money Pak (or something like that) or bit coins. The MoneyPak is like a pre-paid credit card that you cannot get a refund on. The virus even helps you find a local MoneyPak location (CVS, K-Mart, WallGreens, etc.)

5. If you remove the virus from the computer, you will not be able to pay the ransom. People have tried to "re-infect" themselves after removal in order to pay the ransom but this creates a double-encrypted file and cannot be decrypted even after payment.

6. If the timer runs out (it starts at 72 hours) the virus either just lay dormant or uninstall's itself. At that point decrypting the files is impossible becuase the key stored on the bad guys server is destroyed.

7. Apparently the virus changes itself so frequently that it has been able to get past even the most up-to-date AV programs. The only real protection is diligent backups.

8. The virus encrypts MANY common file extensions including .doc, .xls, .jpeg, .pdf, plus many more.

9. The virus will even encrypt files on mapped network drives. Files on a server can get encrypted even if the virus is not on the server. If a workstation has a mapped drive and write permissions all of the files (with matching extensions) will be encrypted. THIS IS VERY SCARY!

Again, I am no expert on any of this and things are changing. What doesn't seem to change is that without a backup, decrypting the files seems to be impossible without paying the ransom. In my humble opinion, this is a game changing virus.

Good luck!
Eddie F.
0
oneononecompCommented:
What is the ransom amount?
0
pabrannPresidentAuthor Commented:
I will call this morning to find out the randsom amount and more details on how was received.
0
pabrannPresidentAuthor Commented:
I called my client and they informed me that they did not actually receive a ransom amount. They also mentioned that they had two active viruses. The first virus made it appear that all files were undetectable on the hard drives. They fixed that virus and then the cryptolocker established itself. They don't know if the two viruses are connected.
0
eddie-fCommented:
When Version 1 of the virus came out about a month ago it was $100. Now in version 2 it is $300.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pabrannPresidentAuthor Commented:
Excellent responses, thank you so much!
0
Giovanni HewardCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.