Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Help Cryptolocker virus

Posted on 2013-11-14
10
Medium Priority
?
1,126 Views
Last Modified: 2013-11-15
Hello fellow experts,

Yesterday my organization was hit with the cryptolocker virus despite our attempts to keep the network free of such nuisance, needless to say, it manage to do damage to a majority of our shared network files.  We were successful in remove it from the infect computer, is there anyway to repair the damaged files?  

So far I have tried Shadow Copy and that didn't work.

Any assistance or advice would be greatly appreciated.
Darrell
0
Comment
Question by:darrellajames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Expert Comment

by:DidUReboot
ID: 39649797
You could try using System Restore Explorer and copy those files out of a system restore prior to the infection.
http://www.majorgeeks.com/files/details/system_restore_explorer.html
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39649832
According to Malwarebytes unless you have a good backup that is not attached (thumb drive, network mapped drive, etc. are considered attached) you have very little chance of recovery.

Even if you use something like Dropbox and remain connected all the time you may have lost your data.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
0
 

Author Comment

by:darrellajames
ID: 39650069
Yeah I think I am screwed, anyone got the link to just pay it? We removed the virus so the pop up window is gone.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 2

Expert Comment

by:Axis52401
ID: 39650108
All my clients have had to restore effected files from backups
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39651228
The malware authors have launched a decryption service.  This service is available by connecting directly to a Command & Control server's IP address, FQDN, or through Tor via the f2d2v7soksbskekh.onion/ address.

f2d2v7soksbskekh.onion/ cryptolocker decryption service
Here's a technical description of why brute force recovery recovery is unrealistic without the private key needed for decryption: http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Q_28275170.html#a39606853

Here's some preventative recommendations which would mitigate against future variants designed to bypass recommended GPO, AppLocker, and SRP policies.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28233648.html#a39474622
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/
0
 

Author Comment

by:darrellajames
ID: 39651240
Thanks buddy, tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39651246
tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.

Did you use the Tor software?  You can't see nor connect without it.
0
 

Author Comment

by:darrellajames
ID: 39651251
Opps, didn't realize I had to download the Tor browser, trying now.
0
 

Author Closing Comment

by:darrellajames
ID: 39651257
Thanks for the information, this is very helpful.
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39651270
Long story short, long term preventative solutions for this (and the majority of malware in general) would be the following approach:

1. FireEye
2. Invincea
3. EMET
4. OpenDNS

The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

Poor man's approach would be to create a virtual DMZ at the endpoint.  This could be done via VirtualBox by creating an isolated and dedicated VM for interacting with the Internet and Internet based downloads.  When the VM is infected or compromised, simply revert the VM image back to a clean state.

And of course.  Backup! Backup! Backup! :o)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question