Solved

Help Cryptolocker virus

Posted on 2013-11-14
10
1,083 Views
Last Modified: 2013-11-15
Hello fellow experts,

Yesterday my organization was hit with the cryptolocker virus despite our attempts to keep the network free of such nuisance, needless to say, it manage to do damage to a majority of our shared network files.  We were successful in remove it from the infect computer, is there anyway to repair the damaged files?  

So far I have tried Shadow Copy and that didn't work.

Any assistance or advice would be greatly appreciated.
Darrell
0
Comment
Question by:darrellajames
10 Comments
 
LVL 1

Expert Comment

by:DidUReboot
ID: 39649797
You could try using System Restore Explorer and copy those files out of a system restore prior to the infection.
http://www.majorgeeks.com/files/details/system_restore_explorer.html
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39649832
According to Malwarebytes unless you have a good backup that is not attached (thumb drive, network mapped drive, etc. are considered attached) you have very little chance of recovery.

Even if you use something like Dropbox and remain connected all the time you may have lost your data.

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
0
 

Author Comment

by:darrellajames
ID: 39650069
Yeah I think I am screwed, anyone got the link to just pay it? We removed the virus so the pop up window is gone.
0
 
LVL 2

Expert Comment

by:Axis52401
ID: 39650108
All my clients have had to restore effected files from backups
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39651228
The malware authors have launched a decryption service.  This service is available by connecting directly to a Command & Control server's IP address, FQDN, or through Tor via the f2d2v7soksbskekh.onion/ address.

f2d2v7soksbskekh.onion/ cryptolocker decryption service
Here's a technical description of why brute force recovery recovery is unrealistic without the private key needed for decryption: http://www.experts-exchange.com/Software/Office_Productivity/Office_Suites/MS_Office/Q_28275170.html#a39606853

Here's some preventative recommendations which would mitigate against future variants designed to bypass recommended GPO, AppLocker, and SRP policies.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28233648.html#a39474622
http://blog.opendns.com/2013/11/06/umbrella-msps-protects-networks-cryptolocker/
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:darrellajames
ID: 39651240
Thanks buddy, tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39651246
tried the f2d2v7soksbskekh.onion/ URL and it just results in a search page, I think that site might be down now.

Did you use the Tor software?  You can't see nor connect without it.
0
 

Author Comment

by:darrellajames
ID: 39651251
Opps, didn't realize I had to download the Tor browser, trying now.
0
 

Author Closing Comment

by:darrellajames
ID: 39651257
Thanks for the information, this is very helpful.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39651270
Long story short, long term preventative solutions for this (and the majority of malware in general) would be the following approach:

1. FireEye
2. Invincea
3. EMET
4. OpenDNS

The core of the FireEye platform is the patented Multi-Vector Virtual Execution (MVX) engine, which provides dynamic, real-time analysis of advanced malware. The MVX engine captures and confirms zero-day and targeted advanced persistent threat (APT) attacks by detonating suspicious files, Web objects, and email attachments within instrumented virtual machine environments.

Poor man's approach would be to create a virtual DMZ at the endpoint.  This could be done via VirtualBox by creating an isolated and dedicated VM for interacting with the Internet and Internet based downloads.  When the VM is infected or compromised, simply revert the VM image back to a clean state.

And of course.  Backup! Backup! Backup! :o)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 R2 Security Configuration Wizard from Server Manager (Tool) 2 118
Security, hackers 10 119
Vulnerability scanning tools! 5 111
Opinions on email encryption & Voltage 3 92
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now