josefmikhail1984
asked on
CryptoLocker or other adware still encrypted files
I know there is no way of decrypting the files but as we speak a process or something is still running and causing damage to our file server.
By checking the processes and applications that are running there is nothing that appears to be 'abnormal', it's very concerning.
Does anyone know apart from using malwarebytes, Kaspersky etc that can isolate this?
We can restore but I fear that it will continue to go through those same files.
Any help or pointers would be much appreciated.
By checking the processes and applications that are running there is nothing that appears to be 'abnormal', it's very concerning.
Does anyone know apart from using malwarebytes, Kaspersky etc that can isolate this?
We can restore but I fear that it will continue to go through those same files.
Any help or pointers would be much appreciated.
It is likely this is Cryptolocker. As McKnife has already posted terminating the process and disinfection is reletively simple (although I still prefer offline scanning of the affected machine(s) with something like Kapersky's Rescue Disk). The important issue here is to identify affected machines and remove them from the network until disinfected. Cryptolocker will attempt to encrypt all files visible to the host - that includes all network shares that the machine has write access to, and if relevant any cloud access.
It works by encrypting and decrypting the files "on the fly" so, while the process continues to encrypt fiies until it has affected everything it has indexed, it will decrypt any encrypted data transparently so that as a user you will not see any change. However if the files are copied to a clean machine they will appear encrypted. Once all the indexed files are encypted the process will then display the ransom screen. On a network with multiple shares this could take many hours.
Cryptolocker is a trojan so it cannot "infect" machines it connects to but a vulnerable network may have multiple hosts from payloads launched from email attachments.
Currently decryption (AES2048 random key) of files without getting the key from the hostage takers is not possible.
Because of the hidden encryption backing up your files now will not be a useful as identifying and isolating the infected hosts terminating the processes and disinfecting so that further damage is prevented.
It works by encrypting and decrypting the files "on the fly" so, while the process continues to encrypt fiies until it has affected everything it has indexed, it will decrypt any encrypted data transparently so that as a user you will not see any change. However if the files are copied to a clean machine they will appear encrypted. Once all the indexed files are encypted the process will then display the ransom screen. On a network with multiple shares this could take many hours.
Cryptolocker is a trojan so it cannot "infect" machines it connects to but a vulnerable network may have multiple hosts from payloads launched from email attachments.
Currently decryption (AES2048 random key) of files without getting the key from the hostage takers is not possible.
Because of the hidden encryption backing up your files now will not be a useful as identifying and isolating the infected hosts terminating the processes and disinfecting so that further damage is prevented.
ASKER
Thanks for the response.
Checked the file File server couldn't find anything, one thing I haven't checked is to see who the last modification was made by, is this possible?
If so then I would be able to know who modified it and turn that machine off.
Checked the file File server couldn't find anything, one thing I haven't checked is to see who the last modification was made by, is this possible?
If so then I would be able to know who modified it and turn that machine off.
I haven't checked but Cryptolocker certainly doesn't change file attrributes or timestamps so the last modified date (certainly as seen in Windows Explorer) is probably no help. You may be better packet sniffing the server - the trojan will continue to process folders from the infected host in alphbetical order through the whole folder tree encrypting all data files with extensions it recognizes. I should be possible to identify the clients making multiple connections and target them.
NB Remember the process is running on the affected client(s) NOT on the server
NB Remember the process is running on the affected client(s) NOT on the server
If you run procmon at the server and you enable advanced logging, you would see what IP/what machine is accessing which files. If there's one that accesses one file after the other, it should be clear that that machine is infected.
You could also do the following: Deploy an applocker policy that denies starting executables from a certain path. I read, applocker usually starts from within %appdata%, so %appdata% would be the path to deny starts from. The same could be done with software restriction policies.
In order to become effective, all machines need to be restarted.
You could also do the following: Deploy an applocker policy that denies starting executables from a certain path. I read, applocker usually starts from within %appdata%, so %appdata% would be the path to deny starts from. The same could be done with software restriction policies.
In order to become effective, all machines need to be restarted.
I believe that when Cryptolocker infects files, it shows the owner of the file as the person logged in on the infected machine. This should give you a clue.
Have you checked the registry on any of the machines for a cryptolocker key under:
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
The exe file is saved as a random named filename to the root of the %AppData% or %LocalAppData% path.
Also look for:
HKEY_CURRENT_USER\Software
Have you checked the registry on any of the machines for a cryptolocker key under:
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
The exe file is saved as a random named filename to the root of the %AppData% or %LocalAppData% path.
Also look for:
HKEY_CURRENT_USER\Software
Some useful third party tools and GPO tips in the Third Tier link here
https://www.experts-exchange.com/questions/28295419/Cryptolocker-recovery-and-management.html
But right now identifying the infected machine(s) is your priority.
Assuming Cryptolocker is the culprit you also need to consider damage limitation.
Do you have reliable backups of the fileserver contents? They must be prior to the earliest possible infection date/time. If not and you have critical data on there you should consider taking the server offline to prevent further loss.
https://www.experts-exchange.com/questions/28295419/Cryptolocker-recovery-and-management.html
But right now identifying the infected machine(s) is your priority.
Assuming Cryptolocker is the culprit you also need to consider damage limitation.
Do you have reliable backups of the fileserver contents? They must be prior to the earliest possible infection date/time. If not and you have critical data on there you should consider taking the server offline to prevent further loss.
ASKER
All of the PC's that have access to this share have had their network connections disabled.
But the files are still encrypting, how can this be?
But the files are still encrypting, how can this be?
Please: are you able to run procmon (a downloadable executable freeware by Microsoft)? What does it say?
ASKER
I have run Procmon has given me a whole load of information, some of which I can see in the share some 'Create File' records.
In network monitor strangely enough it shows one of our IP's, which I can ping not remote to, as having some sort of connection to the files that are being encrypted.
In network monitor strangely enough it shows one of our IP's, which I can ping not remote to, as having some sort of connection to the files that are being encrypted.
Wireless clients. Or somebody has been playing about on the server console.....
You need to move. I somehow get the feeling that until you find the culprit(s) anything will already be encrypted and inaccessible.
Decide: do a full shutdown and virusscan (on server and clients in question) or not. Decide now. If the decision is no, you would need to do something with the info you already found. I told you that procmon will reveal where the files are modified from if advanced output is chosen - you did not even comment on this option (menu filter - advanced output), so I am kind of lost about how to help you any further.
Also you did not comment on the applocker/software restriction policy option. That option would eventually stop that thing from even starting although no AV software found it - no reaction from you either - why?
We are trying to help - please cooperate for your own good.
I will be offline soon for a few hours...
Decide: do a full shutdown and virusscan (on server and clients in question) or not. Decide now. If the decision is no, you would need to do something with the info you already found. I told you that procmon will reveal where the files are modified from if advanced output is chosen - you did not even comment on this option (menu filter - advanced output), so I am kind of lost about how to help you any further.
Also you did not comment on the applocker/software restriction policy option. That option would eventually stop that thing from even starting although no AV software found it - no reaction from you either - why?
We are trying to help - please cooperate for your own good.
I will be offline soon for a few hours...
ASKER
I appreciate the help but bear with me as I do have other things that need to be done as well so please don't think I am don't appreciate advice and help on this.
I have a lot of these that are listed in the CSV file I took out from Process monitor which all have the path to the directory where the encryption is currently running in.
System 4 IRP_MJ_CREATE
System 4 IRP_MJ_QUERY_INFORMATION
System 4 IRP_MJ_DIRECTORY_CONTROL
System 4 IRP_MJ_CLEANUP
System 4 IRP_MJ_CLOSE
However just now I requested those users who were in that share to shut down all of their machines, waited about 5 minutes to check if any connections were still live, users booted up their computers again and so far since 15:26 no additional files as far as we are aware have been changed.
I have a lot of these that are listed in the CSV file I took out from Process monitor which all have the path to the directory where the encryption is currently running in.
System 4 IRP_MJ_CREATE
System 4 IRP_MJ_QUERY_INFORMATION
System 4 IRP_MJ_DIRECTORY_CONTROL
System 4 IRP_MJ_CLEANUP
System 4 IRP_MJ_CLOSE
However just now I requested those users who were in that share to shut down all of their machines, waited about 5 minutes to check if any connections were still live, users booted up their computers again and so far since 15:26 no additional files as far as we are aware have been changed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Before you do this, you should not restore.