Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cryptolocker recovery and management

Posted on 2013-11-15
3
729 Views
Last Modified: 2013-11-17
Although we are not 100 percent certain, it appears that my small company has been hit with the Cryptolocker virus or something that behaves exactly like it. What we really need is a decryption tool, but from previous threads on the topic it appears that only the creators of the virus can decode it, which leaves me with two questions: 1. Short of paying the ransom, which for reasons below is no longer possible, how can I be sure that the virus is not longer operable, and 2. Can you recommend the kind of service that would be best to  transfer Gigabytes of magnetic tape storage to a hard drive?  If you know of a specific vendor, all the better.  In relation to the first question, I attach an OTL.text file of my laptop hard drive. Here is the chronology:

1. Somewhere around 3pm last Friday, something entered our company network and began encrypting Microsoft Office files. We know this from the date-modified stamps on the files. (I can attach one of the files if that would help.)
3. While I was working I noticed that I was getting corrupted file errors on some of the office docs I was working on, but I copied the contents into new files and was good to go, so I thought it just a fluke. It had, however encrypted all the Word, Excel, and possibly Access files on my hard drive.
4. Somewhere around 6:30 pm on the same day, I detached my laptop from the network and left the office for a week.
5.  I received no ransom notice.
6.  When our IT guy came in last Monday, he saw that the network office files had been encrypted, and that the encryption stopped just about the time I unplugged from the network.
5. On Monday, I deed a deep scan with Emsisoft, which found only this: adware.generic.416455; Also did deep scan with Malware Bytes and quarantined two PUPs which Malware labeled "optional"
6.  Have also completed scan with Emsisoft on all other computers connected to the network, which revealed nothing.
7.  I also restored my computer to an earlier setting.

My questions then:

1. New files put on the network and on my hard drive are perfectly readable now. How can we assume that the virus is no longer active?
2.  What is the best way to transfer large volumes of data from a magnetic tape back-up to a digital hard drive. Using the tools we have now, it takes a while to locate files and make the transfer so we would be looking maybe to a service that can convert the entire tape or large segment of it at once.

Thanks
OTL1.Txt
0
Comment
Question by:jlouija
  • 2
3 Comments
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 500 total points
ID: 39652961
The active part of the infection is pretty easy to deal with and there are several conventional ways to disinfect.  Like most current malware Cryptolocker has a stealth component that runs in the background which interferes with any detection process but once that is disabled it is simple for any AV or anitmalware software to remove the payload.

My preference is offline scanning with Kapersky's emergency rescue CD so neither part of the infection are running in the active partition. You can build it as a bootable CD or USB.

Simply identified and removed - but that's only part of the story.
As you've already noted the encryption uses a key which is uniquely linked to the infected computer via a database on the hostage taker's servers without the key it is not currently possible to decrypt affected files so backup is essential.  There is some work on comparing encrypted files with good backup copies to derive the key as there is a single key per infection but this is not complete so do not rely on being able to archive the files until a fix is available.

All other fixes are based around prevention.  Third tier have made publicly available some advice sheets and simple tools to add to GPOs to block the commonest exploits and to lock down installation rights.

http://www.thirdtier.net/downloads/CryptolockerPreventionKit.zip

The main routes of infection however remain human factors - better informed users make safer systems.

The main source of revenue for this current group of criminals remains the home user who will open an email attachment they do not recognize and have their lives stored as data files on a PC that is never backed up.
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 500 total points
ID: 39652966
Your OldTimer log shows the machine has SearchConduit installed as an addin for both IE and FF.  The PokerStars shortcut and Chrome extensions entries suggest that downloaded files can be installed with admin access to the system.  Although there doesn't seem to be anything significantly malicious in your log it does show a machine which is vulnerable to the kind of exploits Cryptolocker is using and evidence of a few PUP (potentially unwanted programs).
0
 

Author Closing Comment

by:jlouija
ID: 39654500
Thanks guys. Both responses were very helpful
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft Office Picture Manager is not included in Office 2013. This comes as a shock to users upgrading from earlier versions of Office, such as 2007 and 2010, where Picture Manager was included as a standard application. This article explains how…
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question