Solved

CryptoLocker Recurring After Restore

Posted on 2014-01-22
3
480 Views
Last Modified: 2014-02-01
Hi folks!

I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.

Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.

What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 39800695
Are you sure she didn't do something before this started happening again?

Does the computer have a static IP?  If so, you will need to use DBAN to completely wipe the computer and then restore again from the image (you are sure that the image is pre-infection?).  Make sure when you reinstall/reimage that you add some extra security - what OS?  What antimalware are you running on that machine?
0
 

Author Comment

by:Ithizar
ID: 39800741
I can't say with 100% confidence that she didn't do something that could have re-infected her computer, of course. However, she is a fairly computer savvy employee and we had discussed the ways she could have gotten infected in the first place. So it seems unlikely -- but, again, not impossible -- that she did something to re-infect her computer.

No, the computer doesn't have a static IP. It is assigned its address by our DHCP server.

The backup I restored was created using the Macrium Reflect software, which is what we use for all our backups. It was a complete image backup of the entire hard drive including all partitions and the MBR. Do you still feel it is necessary to use DBAN to wipe the hard drive in advance of doing that type of restore?

The OS is Windows 7 Enterprise x64. It is up-to-date with the latest service pack. We run Faronics Anti-Virus on it, and then I did manual scans with MalwareBytes.

Thanks!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39801146
I confess that I am unfamiliar with Faronics.  Cryptolocker is a nasty piece of software.  It sounds like you've done everything possible and since that sounds like a bare metal restore, DBAN is probably not necessary.  There are some malware variants that lodge in the BIOS (basic instructions that allows the software to redownload after a bare metal restore.  Cryptolocker, AFAIK, does not do this, but it is something to think about.

Does Faronics have powerful Heuristics?  It looks like it has a HIPS section (took a quick look at the website).  Is HIPS turned on/active for this computer?

BTW, do you like Faronics?  It looks good and I am considering other solutions.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now