Cryptolocker Ransomware: virus affected how to retrive files

Hi

Recently one of our computer cryptolocker ransomware virus affected. All the files in the system are encrypted. Could any one help me how to decrypt these files.

regards
NIYAS
LVL 1
zoscoitNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
You have two options here:

1. Restore the files from backup.
2. Pay the $300 ransom

If you don't have a backup, you have no choice but to pay unfortunately. This will decrypt your files according to the stories on the web.

Alan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AtkinTechnical DirectorCommented:
Personally I wouldn't pick the option to pay the ransom.  In most cases you will pay the money and get nothing in return.

Restoring from the backup as suggested by Alan would be the best thing to do - If you have a backup that is.
0
zoscoitNetwork AdministratorAuthor Commented:
i don't have a backup; that's the problem
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

David AtkinTechnical DirectorCommented:
Then unfortunately the only option you have is to attempt to pay the ransom charge.
0
Alan HardistyCo-OwnerCommented:
Reading everything I have done on the web suggests that your files will be decrypted.

Once they are - make sure you back them up and keep them backed up regularly.  Don't use something like DropBox as a backup - we had a customer whose entire DropBox data got encrypted and they did get the data back, but it took them about 48 hours for DropBox to restore the data back to before the virus kicked in.
0
☠ MASQ ☠Commented:
alanhardisty is correct, the way this nasty works is to generate a unique encryption key once Cryptolocker is installed (it "calls home" to one of a series of servers and stores the key in a database with a unique identifier for later decryption).  If you have a backup of ANY of the data files the Panda dectption tool which compares files with a brute force search can get the key but if you have no backup then currently you either lose the data or pay.  It's where most of the antimalware resources are being directed at the moment.  From a malware product perspective this is actually very clever as the amount of ransom is for a lot of people a price they are prepared to pay.  If the files couldn't be recovered the culprits would very quickly lose credibility and income.

Best solution at the moment is catch it early and disconnect the system from the outside world.  Not that this is much help to you.
0
Alan HardistyCo-OwnerCommented:
The problem with the virus is that it only pops up the ransom warning once your files have been encrypted, so you get little warning.

The virus usually arrives in an email claiming to be Companies House or a similar government authority and you then open the email attachment and then you are screwed.

Looking though our Anti-Spam logs, the file is a .zip attachment and seems to be sent from an email address fraud@aexp.com, so we are now actively blocking this email address and .zip files from coming anywhere near our servers or our customers and this has stopped our customers from being infected.
0
Alan HardistyCo-OwnerCommented:
Emails are now coming through from welcome@aexp.com - so blocking *@aexp.com will help.
0
Rich RumbleSecurity SamuraiCommented:
Have a look at Microsoft's removal tool, it is supposed to help decrypt them
http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
Never pay the ransom, if they do decrypt the file then they are the nicest bad-guys I've seen, otherwise just think about it, there is no incentive for them to decrypt the files. They are often mangled and not the correct size any-longer, so the files are corrupt 50% of the time. But the attackers often make mistakes that the good guys can use to reverse the effects. Often you can even use an "undelete" utility to find some copies of files intact, but it's a long shot. You may have to wait until the proper authorities in this matter can take over the bad-guy's servers and find the keys. I'd expect that to happen in a few weeks or less.
-rich
0
Alan HardistyCo-OwnerCommented:
@richcrumble - there is no mention of how to unencrypt the files and having dealt with and read plenty on the web about this virus, the ONLY way to unencrypt the files (at the moment) is to pay the ransom demand.  Whilst this goes against every principle I have, if you don't have a backup, it is the ONLY way.

The virus is easy enough to get rid of - it usually spawns two active processes and if you kill one, the 2nd one spawns another, but using the following DOS command will kill both processes, but then you don't get the opportunity to pay the ransom, so my advise is to not kill anything until you either get your files back via backup or have paid.

taskkill /f /im nameofexefilerunning.exe

If you get the pop-up, disconnecting the LAN cable / turning off the Wi-Fi link will stop any further activity until you are ready to either kill it permanently or pay the ransom.
0
Sudeep SharmaTechnical DesignerCommented:
Hello NIYAS,

alanhardisty and MASQUERAID are right. Currently there is no way you could decrypt the files as there is no decryption tool available yet to do this. However if you have Windows 7 you could still try retrieving the files from Shadow Copy (if you have that enabled). Please check the link below which would help you in getting your files from Shadop Copy, what to do when you are infected and how to stop further infection of cryptolocker.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Thanks,
Sudeep Sharma
0
ambri5hCommented:
We had this recently at our workplace ironically... these are the steps we undertook.

1. Isolate the infected machine(s) from the network.
2. Check Servers/Network shares to see if it has not gotten into your network.
3. Download MalwareBytes, and your companies Virus Definitions on a USB drive.

Boot up machine and login with local administrator account - preferably in safe mode with networking. Update the definition on MalwareBytes and then disconnect the network cable.
Run scans on all drives using the above tools... make sure you do a full scan. Post results here if necessary...

For files that are affected, depending on when the virus hit your network, you can as others have said - utilise ShadowCopy or other backup tools to restore your corrupted data if you have any.
0
Scott SilvaNetwork AdministratorCommented:
This is a nasty one, and if you do choose to pay ransom, make sure you use all the precautions you can. Buy a debit type gift card with only the ransom amount on it just in case they have a way to get into your accounts... Prevention is the only way to stop this one so far... They use 256 bit AES encryption, and each file is key encrypted... It would take years to brute force attach those...
0
byundtMechanical EngineerCommented:
The Panda decryption tool that MASQUERAID mentioned can be obtained here: http://www.pandasecurity.com/uk/homeusers/support/card?id=1675
"How to restore renamed .exe, .doc and .pdf files with Panda Ransomware Decrypt tool "

It will likely ask for an unencrypted file and its encrypted version. By comparing the two files, it can derive the necessary Private key. You might be able to find an unencrypted file as an attachment in your email.
0
Scott SilvaNetwork AdministratorCommented:
I don't think that tool will work on Cryptolocker infected files, but I guess it won't hurt to try... But you usually can't find the private key even with the public key. One key encrypts, and the other decrypts.
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
Alan HardistyCo-OwnerCommented:
Sorry - but the only way to get the files back is to restore or pay.

Question has been answered in my first comment.

Objecting to the intended closure.

Alan
0
Scott SilvaNetwork AdministratorCommented:
His answer was the best... So far there is no recovery method available besides a good backup.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.