Solved

copy the restore image and transplant to a new computer

Posted on 2014-02-20
2
323 Views
Last Modified: 2014-02-20
I am working on a clients computer which has been infected with Cryptolocker. Is there a way to pinpoint where and when this became infected?
I want to try moving the restore image to a new computer to see if the files can be  opened that way. I tried restoring back to before the infection, but the files are still encrypted/corrupted. Can data recovery restore these files? Is moving the image feasible?
0
Comment
Question by:atf3doc
2 Comments
 
LVL 23

Assisted Solution

by:Thomas Grassi
Thomas Grassi earned 50 total points
Comment Utility
Have you tried going back to the earliest system restore point
By default it only shows the most current click show more to see all
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 450 total points
Comment Utility
If they got the red ransom page display then their files are already encrypted. There is no recovery other than paying the ransom.  If you disabled and removed the process before the ransom message then only the files encrypted up to that point will have been lost.

Moving the files to another machine has no advantage.

It's fairly academic about the infection entry point but you can either use the date of the active component of the win32 ransom trojan or usually the date of the infected email attachment dropper as this is almost always a socially engineered email attachment activation that launches the trojan.

See also http://www.experts-exchange.com/Security/Encryption/Q_28295419.html and other Cryptolocker threads on this site.

Afraid a System Restore will have no effect either :(
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Are you looking to recover an email message or a contact you just deleted mistakenly? Or you are searching for a contact that you erased from your MS Outlook ‘Contacts’ folder and now realized that it was important.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now