• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1155
  • Last Modified:

Help Cryptolocker virus

Hello fellow experts,

Yesterday my organization was hit with the cryptolocker virus despite our attempts to keep the network free of such nuisance, needless to say, it manage to do damage to a majority of our shared network files.  We were successful in remove it from the infect computer, is there anyway to repair the damaged files?  

So far I have tried Shadow Copy and that didn't work.

Any assistance or advice would be greatly appreciated.
Darrell
0
Darrell James
Asked:
Darrell James
1 Solution
 
DidURebootCommented:
You could try using System Restore Explorer and copy those files out of a system restore prior to the infection.
http://www.majorgeeks.com/files/details/system_restore_explorer.html
0
 
pony10usCommented:
According to Malwarebytes unless you have a good backup that is not attached (thumb drive, network mapped drive, etc. are considered attached) you have very little chance of recovery.

Even if you use something like Dropbox and remain connected all the time you may have lost your data.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Yeah I think I am screwed, anyone got the link to just pay it? We removed the virus so the pop up window is gone.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Axis52401Security AnalystCommented:
All my clients have had to restore effected files from backups
0
 
Giovanni HewardCommented:
The malware authors have launched a decryption service.  This service is available by connecting directly to a Command & Control server's IP address, FQDN, or through Tor via the f2d2v7soksbskekh.onion/ address.

f2d2v7soksbskekh.onion/ cryptolocker decryption service
Here's a technical description of why brute force recovery recovery is unrealistic without the private key needed for decryption: http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Q_28275170.html#a39606853

Here's some preventative recommendations which would mitigate against future variants designed to bypass recommended GPO, AppLocker, and SRP policies.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28233648.html#a39474622
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Thanks buddy, tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.
0
 
Giovanni HewardCommented:
tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.

Did you use the Tor software?  You can't see nor connect without it.
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Opps, didn't realize I had to download the Tor browser, trying now.
0
 
Darrell JamesDirector of Information TechnologyAuthor Commented:
Thanks for the information, this is very helpful.
0
 
Giovanni HewardCommented:
Long story short, long term preventative solutions for this (and the majority of malware in general) would be the following approach:

1. FireEye
2. Invincea
3. EMET
4. OpenDNS

The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

Poor man's approach would be to create a virtual DMZ at the endpoint.  This could be done via VirtualBox by creating an isolated and dedicated VM for interacting with the Internet and Internet based downloads.  When the VM is infected or compromised, simply revert the VM image back to a clean state.

And of course.  Backup! Backup! Backup! :o)
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now