Solved

cryptolocker infection

Posted on 2013-11-07
16
749 Views
Last Modified: 2013-12-02
one of my users opened an email attachment (voicemail) but was an application and got infected with cryptolocker. it has affected several shares and all of the files on the computer.

they are demanding $300.

i do have backups i can restore from. my question is how do i know the virus is only on this machine and hasn't infected the server where the file shares are? 2 of the 5 shares seem to be infected.

is it worth paying the $300?

btw still not sure how the infection got past the spam filter, fortinet firewall, and panda cloud antivirus.
0
Comment
Question by:datatechdc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points
ID: 39630948
If you have backups use them.  Whatever you do DO NOT use a credit card to pay for decrypting (if you go that route).  Your network shares have a good chance of being infected - if you can open files you are okay.  Make sure the infected machines are not on the network.

Check out these links for preventitive measures (I know it is a bit of closing the barn doors after the cow is gone, but...)

http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/

This one purports to be a fix, although I have no first hand experience with it and have some doubts as to it's veracity (as do many of the commentors at the bottom of the article):

http://malwarefixes.com/remove-cryptolocker-virus/
0
 

Author Comment

by:datatechdc
ID: 39630991
i have located the infected files. it only got to 2 out of the 5 shares and i located the email that it came from. the email disguised itself as a voicemail in a zip file. when you open it the file type is an exe and not an audio file.

how can i check to see if other machines on the network got infected?
0
 

Author Comment

by:datatechdc
ID: 39630993
btw they want payment in the form of bitcoin. the question is if i wanted to pay the $300 and get the key just in case, how would i decrypt all of the data they infected. is there a utility or software or do you have to do it one at a time?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points
ID: 39631034
They supposedly give you the key and then you can unencrypt all files on a drive at once by using a standard decryptor and inputting the key they provide (see the supposed solution link - they are using a sophos decryptor that will request a decryption key.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 500 total points
ID: 39631041
Oh and if you have backups you won't need the decryption key - but just in case make another backup before the restore.
0
 

Author Comment

by:datatechdc
ID: 39631062
im checking my backups now. absolutely ridiculous how they can do this.

what are the chances if you pay the money, they will actually provide the key?
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 39631087
From the people I've spoken to the key has been provided.  Just don't give them any info that will allow them to steal $$ or your identity.  It is ridiculous, so if you can use backups all the better.
0
 

Author Comment

by:datatechdc
ID: 39631100
have you used bitcoin? seems to be a safe way to send money without compromising identity.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39631124
Never used it.  I do use paypal and feel that is fairly safe.
0
 

Author Comment

by:datatechdc
ID: 39631134
they only accept bitcoin or moneypak
0
 

Author Comment

by:datatechdc
ID: 39631447
the panda utility doesnt work at all. even though i have a good version of the same files it still doesnt work.

looks like im fully depending on my backup.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39631495
Sorry to hear.  Good luck.
0
 

Author Comment

by:datatechdc
ID: 39637957
i obtained the key. what utility can i use to decrypt the files?
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39638873
There are a number of tools.  Although I have no personal experience with it, Kaspersky recommends their own klwk utility (http://support.kaspersky.com/viruses/utility and http://support.kaspersky.com/55).
0
 

Author Comment

by:datatechdc
ID: 39639851
i dont see how these utilities will allow me to use the encryption key i paid for to decrypt the files?
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Different types of mobile security tests 3 121
systemdown@india.com and McAfee 3 155
antispam / virus gateway 5 76
What is Ransomware? 16 107
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question