Solved

Help Cryptolocker virus

Posted on 2013-11-14
10
1,070 Views
Last Modified: 2013-11-15
Hello fellow experts,

Yesterday my organization was hit with the cryptolocker virus despite our attempts to keep the network free of such nuisance, needless to say, it manage to do damage to a majority of our shared network files.  We were successful in remove it from the infect computer, is there anyway to repair the damaged files?  

So far I have tried Shadow Copy and that didn't work.

Any assistance or advice would be greatly appreciated.
Darrell
0
Comment
Question by:darrellajames
10 Comments
 
LVL 1

Expert Comment

by:DidUReboot
ID: 39649797
You could try using System Restore Explorer and copy those files out of a system restore prior to the infection.
http://www.majorgeeks.com/files/details/system_restore_explorer.html
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39649832
According to Malwarebytes unless you have a good backup that is not attached (thumb drive, network mapped drive, etc. are considered attached) you have very little chance of recovery.

Even if you use something like Dropbox and remain connected all the time you may have lost your data.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
0
 

Author Comment

by:darrellajames
ID: 39650069
Yeah I think I am screwed, anyone got the link to just pay it? We removed the virus so the pop up window is gone.
0
 
LVL 2

Expert Comment

by:Axis52401
ID: 39650108
All my clients have had to restore effected files from backups
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39651228
The malware authors have launched a decryption service.  This service is available by connecting directly to a Command & Control server's IP address, FQDN, or through Tor via the f2d2v7soksbskekh.onion/ address.

f2d2v7soksbskekh.onion/ cryptolocker decryption service
Here's a technical description of why brute force recovery recovery is unrealistic without the private key needed for decryption: http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Q_28275170.html#a39606853

Here's some preventative recommendations which would mitigate against future variants designed to bypass recommended GPO, AppLocker, and SRP policies.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28233648.html#a39474622
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:darrellajames
ID: 39651240
Thanks buddy, tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39651246
tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.

Did you use the Tor software?  You can't see nor connect without it.
0
 

Author Comment

by:darrellajames
ID: 39651251
Opps, didn't realize I had to download the Tor browser, trying now.
0
 

Author Closing Comment

by:darrellajames
ID: 39651257
Thanks for the information, this is very helpful.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39651270
Long story short, long term preventative solutions for this (and the majority of malware in general) would be the following approach:

1. FireEye
2. Invincea
3. EMET
4. OpenDNS

The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

Poor man's approach would be to create a virtual DMZ at the endpoint.  This could be done via VirtualBox by creating an isolated and dedicated VM for interacting with the Internet and Internet based downloads.  When the VM is infected or compromised, simply revert the VM image back to a clean state.

And of course.  Backup! Backup! Backup! :o)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
PGP key : industry standard 2 61
IPS Logs NMap Scans 1 89
bypass UAC - always notifiy 4 55
Is banking over coffee-shop wifi SAFE? 16 112
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now