Solved

CryptoLocker Recurring After Restore

Posted on 2014-01-22
3
484 Views
Last Modified: 2014-02-01
Hi folks!

I had an employee's computer get hit with the CryptoLocker malware. Fortunately, we have good backups of everything, so no data was lost. I restored her entire desktop using an image backup made before the infection. That should have cleared the local copy of her profile, her registry settings, her data, and all. I also restored, from backup, her roaming profile folder on our file server, as well as her home folder on the server. We also redirect the AppData folder to the server, so I restored that as well.

Lo and behold, the next time she logged in, CryptoLocker re-appeared and started encrypting things again. I've done a complete scan of her computer and our file server using MalwareBytes, and can't find anything outside of the locations I mentioned.

What am I missing? How could CryptoLocker still be tied to her login in some way, and how can I manage to get rid of it once and for all?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 39800695
Are you sure she didn't do something before this started happening again?

Does the computer have a static IP?  If so, you will need to use DBAN to completely wipe the computer and then restore again from the image (you are sure that the image is pre-infection?).  Make sure when you reinstall/reimage that you add some extra security - what OS?  What antimalware are you running on that machine?
0
 

Author Comment

by:Ithizar
ID: 39800741
I can't say with 100% confidence that she didn't do something that could have re-infected her computer, of course. However, she is a fairly computer savvy employee and we had discussed the ways she could have gotten infected in the first place. So it seems unlikely -- but, again, not impossible -- that she did something to re-infect her computer.

No, the computer doesn't have a static IP. It is assigned its address by our DHCP server.

The backup I restored was created using the Macrium Reflect software, which is what we use for all our backups. It was a complete image backup of the entire hard drive including all partitions and the MBR. Do you still feel it is necessary to use DBAN to wipe the hard drive in advance of doing that type of restore?

The OS is Windows 7 Enterprise x64. It is up-to-date with the latest service pack. We run Faronics Anti-Virus on it, and then I did manual scans with MalwareBytes.

Thanks!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 39801146
I confess that I am unfamiliar with Faronics.  Cryptolocker is a nasty piece of software.  It sounds like you've done everything possible and since that sounds like a bare metal restore, DBAN is probably not necessary.  There are some malware variants that lodge in the BIOS (basic instructions that allows the software to redownload after a bare metal restore.  Cryptolocker, AFAIK, does not do this, but it is something to think about.

Does Faronics have powerful Heuristics?  It looks like it has a HIPS section (took a quick look at the website).  Is HIPS turned on/active for this computer?

BTW, do you like Faronics?  It looks good and I am considering other solutions.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now