Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1164
  • Last Modified:

Help Cryptolocker virus

Hello fellow experts,

Yesterday my organization was hit with the cryptolocker virus despite our attempts to keep the network free of such nuisance, needless to say, it manage to do damage to a majority of our shared network files.  We were successful in remove it from the infect computer, is there anyway to repair the damaged files?  

So far I have tried Shadow Copy and that didn't work.

Any assistance or advice would be greatly appreciated.
Darrell
0
Darrell James
Asked:
Darrell James
1 Solution
 
DidURebootCommented:
You could try using System Restore Explorer and copy those files out of a system restore prior to the infection.
http://www.majorgeeks.com/files/details/system_restore_explorer.html
0
 
pony10usCommented:
According to Malwarebytes unless you have a good backup that is not attached (thumb drive, network mapped drive, etc. are considered attached) you have very little chance of recovery.

Even if you use something like Dropbox and remain connected all the time you may have lost your data.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Yeah I think I am screwed, anyone got the link to just pay it? We removed the virus so the pop up window is gone.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Axis52401Security AnalystCommented:
All my clients have had to restore effected files from backups
0
 
Giovanni HewardCommented:
The malware authors have launched a decryption service.  This service is available by connecting directly to a Command & Control server's IP address, FQDN, or through Tor via the f2d2v7soksbskekh.onion/ address.

f2d2v7soksbskekh.onion/ cryptolocker decryption service
Here's a technical description of why brute force recovery recovery is unrealistic without the private key needed for decryption: http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Q_28275170.html#a39606853

Here's some preventative recommendations which would mitigate against future variants designed to bypass recommended GPO, AppLocker, and SRP policies.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28233648.html#a39474622
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Thanks buddy, tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.
0
 
Giovanni HewardCommented:
tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.

Did you use the Tor software?  You can't see nor connect without it.
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Opps, didn't realize I had to download the Tor browser, trying now.
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Thanks for the information, this is very helpful.
0
 
Giovanni HewardCommented:
Long story short, long term preventative solutions for this (and the majority of malware in general) would be the following approach:

1. FireEye
2. Invincea
3. EMET
4. OpenDNS

The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

Poor man's approach would be to create a virtual DMZ at the endpoint.  This could be done via VirtualBox by creating an isolated and dedicated VM for interacting with the Internet and Internet based downloads.  When the VM is infected or compromised, simply revert the VM image back to a clean state.

And of course.  Backup! Backup! Backup! :o)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now