Solved

Crypto Locker  help

Posted on 2013-11-18
13
859 Views
Last Modified: 2013-11-20
Client just called, he got Crypto Locker...
I have his laptop....

He says  from the time he opened the email to the time he turned the laptop off was about
15 minutes....

I'm thinking maybe the virus didn't have time to encrypt a lot of files...

Question...Can I mount his HD to a Linux machine...copy his My Documents off to the
Linux box....will this keep the virus from encrypting any more files...???

Then I reformat and rebuild his Win 7...only way I can be sure virus is gone...
Now I move his My Docs back...the files that got encrypted won't work...but the files that are NOT encrypted will work....(I hope)...

I'm assuming with the virus gone...any infected files will not spread the infection to any other files...

Opinions greatly appreciated...
Steve

the other option is to pay the ransom...he has no backups...
0
Comment
Question by:stevem5000
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 3

Expert Comment

by:uniqueinfotech
ID: 39657854
First, I would make an image of the drive to make sure that if anything gets changed, he can at least make a full restore to pay the ransom.

Next, I would mount the HDD in another OS, and try to read and copy off as many files as possible. Do not worry as so long as you are booting into a different OS the virus will not be running.
It is hard to say how many files got encrypted in 15 minutes, that would depend on the speed of the CPU, RAM etc of the computer. However, there is a good chance that many of the files will be encrypted.

If you are able to recover any unencrypted files, make sure to scan them to ensure that cryptolocker is not among them or your client will get reinfected.

Finally, I would definitely completely reinstall windows (make sure you delete and re-create the partitions in windows set up).
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39658045
You could boot the laptop to a Linux disc and see what is what that way without having to remove the drive from the laptop. Clonezilla, or Ghost can be used to make the image of the HDD before starting.
0
 
LVL 50

Accepted Solution

by:
jcimarron earned 500 total points
ID: 39658057
stevem5000--
Here is a detailed article from Bleeping Computer.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Read the section on "What should you do when you discover your computer is infected with CryptoLocker"

This suggests a way to stop further infection.  If System Restore points are available you then could try to restore everything using a point before the infection took place.


Here is some helpful info from MalwareBytes/
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
You should scan with MalwareBytes after trying the procedure recommended by Bleeping Computer.  Perhaps with the Pro version in light of the information.  Perhaps do this before trying System Restore.
I do not know if you can still download and install MalwareBytes on a PC already infected.  If not, download to a thumb drive on another PC and transfer to the infected PC.  You may also have to change the file extension to .com in order to install.
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39658242
Thanks guys...I'll be reading your links and suggestions...trying things out
over the next couple days...
0
 
LVL 3

Expert Comment

by:uniqueinfotech
ID: 39658265
Important:
You want to do this ASAP, as the price goes up 10 times if you past the 3 day limit.
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39658355
Good point...!!!
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 2

Author Closing Comment

by:stevem5000
ID: 39661222
Thanks everyone...good ideas...Client decided to pay the ransome...
Have to do MoneyPak but they are available at Walmart...

Hope this works...
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39661225
stevem5000--You are welcome.  Glad to have helped a little.
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39661245
jicmarron...
Yes...the link to the bleeping computer is magnificient...!!!!

A ton of info there...
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39663899
Update...
This has been a trip and a half...

Got the MoneyPak card at Walmart...scrapped off the silver stuff to get the number...
Carefully entered the number on the Crypto screen...followed the prompts...

Let it run all night...had error message that cannot find the MoneyPak number...
Re-entered number...
Ran a few hours and same issue...

Now...after almost 2 days viper finds some infections...jumble of letters and numbers so
I'm assuming that pertains to Crypto...

But now one of the Crypto screens does NOT show up...

I uninstall Vipre...make sure Inet connection is good...
Then I had to follow Crypto instructions to download Crypto again...
Got that done, but Win 7 does NOT like that file...2-3 warning screens to go thru...

Got Crypto installed again...and in about 1 minute it starts decrypting the files...

Earlier I did open a number of files, Doc Xls and PDF and all were encrypted...

So now...when Crypto  gets done decrypting...should I follow Bleeping computers
instructions to get rid of Crypto....or should I reformat and reinstall...???
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 39663935
I'd reformat and reinstall for sure.
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39663985
Update #2....
Took about 10 minutes to decrypt...
But it missed a few...It gives you the option to
place files that did not get decrypted on the desktop and run decryption again...
But didn't work...

We spot checked maybe 2 dozen files and found 5 that did not decrypt...so if that ratio
holds...we got a LOT of still encrypted files...
0
 
LVL 3

Expert Comment

by:uniqueinfotech
ID: 39664474
Definitely format and reinstall. Keep an image of the HDD incase they need those files that did not decrypt.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So many times I have seen the words written in a question "if only I could show you" or " I know how hard it is for you since you can't see it" in any zone. That has inspired me to write about this tool in windows 7 called "Problem Steps Recorder…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now