Solved

CryptoLocker or other adware still encrypted files

Posted on 2013-11-26
14
516 Views
Last Modified: 2013-12-13
I know there is no way of decrypting the files but as we speak a process or something is still running and causing damage to our file server.

By checking the processes and applications that are running there is nothing that appears to be 'abnormal', it's very concerning.

Does anyone know apart from using malwarebytes, Kaspersky etc that can isolate this?

We can restore but I fear that it will continue to go through those same files.

Any help or pointers would be much appreciated.
0
Comment
Question by:josefmikhail1984
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39677281
Use procmon on your server and filter file accesses. You will see what process does change (=encrypt) the files. Then terminate the process and if possible, shutdown the server to clean it either manually or using updatable AV boot media.
Before you do this, you should not restore.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39677341
It is likely this is Cryptolocker.  As McKnife has already posted terminating the process and disinfection is reletively simple (although I still prefer offline scanning of the affected machine(s) with something like Kapersky's Rescue Disk).  The important issue here is to identify affected machines and remove them from the network until disinfected.  Cryptolocker will attempt to encrypt all files visible to the host - that includes all network shares that the machine has write access to, and if relevant any cloud access.

It works by encrypting and decrypting the files "on the fly" so, while the process continues to encrypt fiies until it has affected everything it has indexed, it will decrypt any encrypted data transparently so that as a user you will not see any change.  However if the files are copied to a clean machine they will appear encrypted.  Once all the indexed files are encypted the process will then display the ransom screen.  On a network with multiple shares this could take many hours.

Cryptolocker is a trojan so it cannot "infect" machines  it connects to but a vulnerable network may have multiple hosts from payloads launched from email attachments.

Currently decryption (AES2048 random key) of files without getting the key from the hostage takers is not possible.

Because of the hidden encryption backing up your files now will not be a useful as identifying and isolating the infected hosts terminating the processes and disinfecting so that further damage is prevented.
0
 

Author Comment

by:josefmikhail1984
ID: 39677351
Thanks for the response.

Checked the file File server couldn't find anything, one thing I haven't checked is to see who the last modification was made by, is this possible?

If so then I would be able to know who modified it and turn that machine off.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39677363
I haven't checked but Cryptolocker certainly doesn't change file attrributes or timestamps so the last modified date (certainly as seen in Windows Explorer) is probably no help.  You may be better packet sniffing the server - the trojan will continue to process folders from the infected host in alphbetical order through the whole folder tree encrypting all data files with extensions it recognizes.  I should be possible to identify the clients making multiple connections and target them.

NB Remember the process is running on the affected client(s) NOT on the server
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39677365
If you run procmon at the server and you enable advanced logging, you would see what IP/what machine is accessing which files. If there's one that accesses one file after the other, it should be clear that that machine is infected.
You could also do the following: Deploy an applocker policy that denies starting executables from a certain path. I read, applocker usually starts from within %appdata%, so %appdata% would be the path to deny starts from. The same could be done with software restriction policies.

In order to become effective, all machines need to be restarted.
0
 
LVL 2

Expert Comment

by:JayCarter82
ID: 39677378
I believe that when Cryptolocker infects files, it shows the owner of the file as the person logged in on the infected machine. This should give you a clue.

Have you checked the registry on any of the machines for a cryptolocker key under:

HKEY_CURRENT_USER\Software\CryptoLocker\Files and also the one that actually runs the malware:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" - this one will sometimes have a random filename.exe instead.

The exe file is saved as a random named filename to the root of the %AppData% or %LocalAppData% path.

Also look for:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 39677389
Some useful third party tools and GPO tips in the Third Tier link here
http://www.experts-exchange.com/Security/Encryption/Q_28295419.html

But right now identifying the infected machine(s) is your priority.

Assuming Cryptolocker is the culprit you also need to consider damage limitation.

Do you have reliable backups of the fileserver contents?  They must be prior to the earliest possible infection date/time.  If not and you have critical data on there you should consider taking the server offline to prevent further loss.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:josefmikhail1984
ID: 39677469
All of the PC's that have access to this share have had their network connections disabled.

But the files are still encrypting, how can this be?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39677531
Please: are you able to run procmon (a downloadable executable freeware by Microsoft)? What does it say?
0
 

Author Comment

by:josefmikhail1984
ID: 39677592
I have run Procmon has given me a whole load of information, some of which I can see in the share some 'Create File' records.

In network monitor strangely enough it shows one of our IP's, which I can ping not remote to, as having some sort of connection to the files that are being encrypted.
0
 
LVL 2

Expert Comment

by:JayCarter82
ID: 39677703
Wireless clients. Or somebody has been playing about on the server console.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39677827
You need to move. I somehow get the feeling that until you find the culprit(s) anything will already be encrypted and inaccessible.

Decide: do a full shutdown and virusscan (on server and clients in question) or not. Decide now. If the decision is no, you would need to do something with the info you already found. I told you that procmon will reveal where the files are modified from if advanced output is chosen - you did not even comment on this option (menu filter - advanced output), so I am kind of lost about how to help you any further.

Also you did not comment on the applocker/software restriction policy option. That option would eventually stop that thing from even starting although no AV software found it - no reaction from you either - why?

We are trying to help - please cooperate for your own good.
I will be offline soon for a few hours...
0
 

Author Comment

by:josefmikhail1984
ID: 39678080
I appreciate the help but bear with me as I do have other things that need to be done as well so please don't think I am don't appreciate advice and help on this.

I have a lot of these that are listed in the CSV file I took out from Process monitor which all have the path to the directory where the encryption is currently running in.

System      4      IRP_MJ_CREATE
System      4      IRP_MJ_QUERY_INFORMATION
System      4      IRP_MJ_DIRECTORY_CONTROL
System      4      IRP_MJ_CLEANUP
System      4      IRP_MJ_CLOSE

However just now I requested those users who were in that share to shut down all of their machines, waited about 5 minutes to check if any connections were still live, users booted up their computers again and so far since 15:26 no additional files as far as we are aware have been changed.
0
 
LVL 50

Accepted Solution

by:
jcimarron earned 500 total points
ID: 39678139
josefmikhail1984--
Shutting down the PC's was a good idea.
As far as getting rid or CryptoLocker, here is a detailed article from Bleeping Computer.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Read the section on "What should you do when you discover your computer is infected with CryptoLocker"

This suggests a way to stop further infection.  If System Restore points are available you then could try to restore everything using a point before the infection took place.


Here is some helpful info from MalwareBytes/
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
You should scan with MalwareBytes after trying the procedure recommended by Bleeping Computer.  Perhaps with the Pro version in light of the information.  Perhaps do this before trying System Restore.

I do not know if you can still download and install MalwareBytes on a PC already infected.  If not, download to a thumb drive on another PC and transfer to the infected PC.  You may also have to change the file extension to .com in order to install.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now