Solved

copy the restore image and transplant to a new computer

Posted on 2014-02-20
2
331 Views
Last Modified: 2014-02-20
I am working on a clients computer which has been infected with Cryptolocker. Is there a way to pinpoint where and when this became infected?
I want to try moving the restore image to a new computer to see if the files can be  opened that way. I tried restoring back to before the infection, but the files are still encrypted/corrupted. Can data recovery restore these files? Is moving the image feasible?
0
Comment
Question by:atf3doc
2 Comments
 
LVL 23

Assisted Solution

by:Thomas Grassi
Thomas Grassi earned 50 total points
ID: 39874041
Have you tried going back to the earliest system restore point
By default it only shows the most current click show more to see all
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 450 total points
ID: 39874092
If they got the red ransom page display then their files are already encrypted. There is no recovery other than paying the ransom.  If you disabled and removed the process before the ransom message then only the files encrypted up to that point will have been lost.

Moving the files to another machine has no advantage.

It's fairly academic about the infection entry point but you can either use the date of the active component of the win32 ransom trojan or usually the date of the infected email attachment dropper as this is almost always a socially engineered email attachment activation that launches the trojan.

See also http://www.experts-exchange.com/Security/Encryption/Q_28295419.html and other Cryptolocker threads on this site.

Afraid a System Restore will have no effect either :(
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux Filesystems reporting faster growth than actual file growth... 7 60
Vmware backup to External Hard drive 6 148
Saving BitLocker key to AD DS 7 69
md5 password 3 62
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question