Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

CryptoLocker or other adware still encrypted files

Posted on 2013-11-26
14
Medium Priority
?
544 Views
Last Modified: 2013-12-13
I know there is no way of decrypting the files but as we speak a process or something is still running and causing damage to our file server.

By checking the processes and applications that are running there is nothing that appears to be 'abnormal', it's very concerning.

Does anyone know apart from using malwarebytes, Kaspersky etc that can isolate this?

We can restore but I fear that it will continue to go through those same files.

Any help or pointers would be much appreciated.
0
Comment
Question by:josefmikhail1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 39677281
Use procmon on your server and filter file accesses. You will see what process does change (=encrypt) the files. Then terminate the process and if possible, shutdown the server to clean it either manually or using updatable AV boot media.
Before you do this, you should not restore.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39677341
It is likely this is Cryptolocker.  As McKnife has already posted terminating the process and disinfection is reletively simple (although I still prefer offline scanning of the affected machine(s) with something like Kapersky's Rescue Disk).  The important issue here is to identify affected machines and remove them from the network until disinfected.  Cryptolocker will attempt to encrypt all files visible to the host - that includes all network shares that the machine has write access to, and if relevant any cloud access.

It works by encrypting and decrypting the files "on the fly" so, while the process continues to encrypt fiies until it has affected everything it has indexed, it will decrypt any encrypted data transparently so that as a user you will not see any change.  However if the files are copied to a clean machine they will appear encrypted.  Once all the indexed files are encypted the process will then display the ransom screen.  On a network with multiple shares this could take many hours.

Cryptolocker is a trojan so it cannot "infect" machines  it connects to but a vulnerable network may have multiple hosts from payloads launched from email attachments.

Currently decryption (AES2048 random key) of files without getting the key from the hostage takers is not possible.

Because of the hidden encryption backing up your files now will not be a useful as identifying and isolating the infected hosts terminating the processes and disinfecting so that further damage is prevented.
0
 

Author Comment

by:josefmikhail1984
ID: 39677351
Thanks for the response.

Checked the file File server couldn't find anything, one thing I haven't checked is to see who the last modification was made by, is this possible?

If so then I would be able to know who modified it and turn that machine off.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39677363
I haven't checked but Cryptolocker certainly doesn't change file attrributes or timestamps so the last modified date (certainly as seen in Windows Explorer) is probably no help.  You may be better packet sniffing the server - the trojan will continue to process folders from the infected host in alphbetical order through the whole folder tree encrypting all data files with extensions it recognizes.  I should be possible to identify the clients making multiple connections and target them.

NB Remember the process is running on the affected client(s) NOT on the server
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39677365
If you run procmon at the server and you enable advanced logging, you would see what IP/what machine is accessing which files. If there's one that accesses one file after the other, it should be clear that that machine is infected.
You could also do the following: Deploy an applocker policy that denies starting executables from a certain path. I read, applocker usually starts from within %appdata%, so %appdata% would be the path to deny starts from. The same could be done with software restriction policies.

In order to become effective, all machines need to be restarted.
0
 
LVL 2

Expert Comment

by:JayCarter82
ID: 39677378
I believe that when Cryptolocker infects files, it shows the owner of the file as the person logged in on the infected machine. This should give you a clue.

Have you checked the registry on any of the machines for a cryptolocker key under:

HKEY_CURRENT_USER\Software\CryptoLocker\Files and also the one that actually runs the malware:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" - this one will sometimes have a random filename.exe instead.

The exe file is saved as a random named filename to the root of the %AppData% or %LocalAppData% path.

Also look for:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 39677389
Some useful third party tools and GPO tips in the Third Tier link here
http://www.experts-exchange.com/Security/Encryption/Q_28295419.html

But right now identifying the infected machine(s) is your priority.

Assuming Cryptolocker is the culprit you also need to consider damage limitation.

Do you have reliable backups of the fileserver contents?  They must be prior to the earliest possible infection date/time.  If not and you have critical data on there you should consider taking the server offline to prevent further loss.
0
 

Author Comment

by:josefmikhail1984
ID: 39677469
All of the PC's that have access to this share have had their network connections disabled.

But the files are still encrypting, how can this be?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39677531
Please: are you able to run procmon (a downloadable executable freeware by Microsoft)? What does it say?
0
 

Author Comment

by:josefmikhail1984
ID: 39677592
I have run Procmon has given me a whole load of information, some of which I can see in the share some 'Create File' records.

In network monitor strangely enough it shows one of our IP's, which I can ping not remote to, as having some sort of connection to the files that are being encrypted.
0
 
LVL 2

Expert Comment

by:JayCarter82
ID: 39677703
Wireless clients. Or somebody has been playing about on the server console.....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39677827
You need to move. I somehow get the feeling that until you find the culprit(s) anything will already be encrypted and inaccessible.

Decide: do a full shutdown and virusscan (on server and clients in question) or not. Decide now. If the decision is no, you would need to do something with the info you already found. I told you that procmon will reveal where the files are modified from if advanced output is chosen - you did not even comment on this option (menu filter - advanced output), so I am kind of lost about how to help you any further.

Also you did not comment on the applocker/software restriction policy option. That option would eventually stop that thing from even starting although no AV software found it - no reaction from you either - why?

We are trying to help - please cooperate for your own good.
I will be offline soon for a few hours...
0
 

Author Comment

by:josefmikhail1984
ID: 39678080
I appreciate the help but bear with me as I do have other things that need to be done as well so please don't think I am don't appreciate advice and help on this.

I have a lot of these that are listed in the CSV file I took out from Process monitor which all have the path to the directory where the encryption is currently running in.

System      4      IRP_MJ_CREATE
System      4      IRP_MJ_QUERY_INFORMATION
System      4      IRP_MJ_DIRECTORY_CONTROL
System      4      IRP_MJ_CLEANUP
System      4      IRP_MJ_CLOSE

However just now I requested those users who were in that share to shut down all of their machines, waited about 5 minutes to check if any connections were still live, users booted up their computers again and so far since 15:26 no additional files as far as we are aware have been changed.
0
 
LVL 50

Accepted Solution

by:
jcimarron earned 1500 total points
ID: 39678139
josefmikhail1984--
Shutting down the PC's was a good idea.
As far as getting rid or CryptoLocker, here is a detailed article from Bleeping Computer.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Read the section on "What should you do when you discover your computer is infected with CryptoLocker"

This suggests a way to stop further infection.  If System Restore points are available you then could try to restore everything using a point before the infection took place.


Here is some helpful info from MalwareBytes/
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
You should scan with MalwareBytes after trying the procedure recommended by Bleeping Computer.  Perhaps with the Pro version in light of the information.  Perhaps do this before trying System Restore.

I do not know if you can still download and install MalwareBytes on a PC already infected.  If not, download to a thumb drive on another PC and transfer to the infected PC.  You may also have to change the file extension to .com in order to install.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question