Solved

CryptoDefense Software

Posted on 2014-04-09
15
1,107 Views
Last Modified: 2014-04-10
I am very surprised not able to find anything on Experts Exchange referencing CryptoDefense Software


 It appears a folder on the users Desktop, his networked H-Drive and many folders and many folders under his other networked drive are  severely infected with CryptoDefense Software. All folders and files have a time stamp 4/2/2014 4:27pm. Every folder has a “decrypt” file. Can’t open anything that has the dycrpto files in its folder

http://www.enigmasoftware.com/cryptodefense-removal/ 

- updated and ran the new Malwarebytes but it found nothing.
- ran a full MSE scan. Found no issues
- attempted to run the Carbonite restore and it failed to open with script errors. Rebooted PC. Carbonite still fails with script errors
- ran a rogue killer program. Found and removed several malicious entries. Required another reboot
- I don’t see the actual QuickBooks files infected but many of its related folders have been infected

I have not yet performed a system restore to an earlier time. I contacted one of my very experienced Windows engineers and he stated that would not help
We could try logging on as the administrator and in safe mode but bottom line is that we need a restore.
From everything I read, we need to perform a restore from before 4/2/2014. Since the Carbonite will not run from the PC, I need to get in touch with the person who has access to the credentials to  Carbonite access and restore

Any help would be appreciated
0
Comment
Question by:agieryic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
  • +2
15 Comments
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 39988548
Search the forum for cryptolocker or use wikipedia's cryptolocker article to get advice - it's nearly the same type of threat.

You should not go about and use a restore point. If you have backed up your files, use pbackups. If not, decide if you can afford to pay the ransom, as simple as that. The encryption cannot be broken, the data is lost unless you pay or have backups.
0
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 250 total points
ID: 39988574
If you are referring to CryptoLocker, it is not a virus or spyware. It's an encryption a hacker places on all your documents  local and network that encrypts your documents.

There are multiple lines of defense:

1. Installing a good firewall like Cisco, Sonicwall or Barracuda that includes content filtering to inspect packets as they are received and drop suspicious and known file types before they reach your network.

2. There are also some software firewalls that help but we believe a stand alone hardware firewall is best.

3. Installing a web based anti spam service that inspects email before it's received like the content filtering above. We use GFI Mail Essentials Online for this service.

4. Educate your users not to open email that looks irregular and from someone they do not expect. This is just plain common sense feature that some people don't use.

If you get hit with CryptoLocker, there are two solutions:

1. Restore from a backup
2. Pay the ransom and hope they unlock your files.

Hope this helps.
0
 
LVL 1

Author Comment

by:agieryic
ID: 39988575
I see articles about going into the registry in safe mode and removing cryptolocker related entries. Obviously I don't know if they actually work
0
Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

 
LVL 54

Expert Comment

by:McKnife
ID: 39988578
You need to understand what being infected means. If you remove it, you remove the only way to decrypt!
0
 
LVL 1

Author Comment

by:agieryic
ID: 39988594
If I have a good restore, is there more then just removing the infected folders and replacing them with a backup. If I have a good restore, should I perform a system restore to bring the registry back to before the infection?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39988601
There is no defense -- except having a backup image.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39988772
Yes, if you have a backup, of course all sorts of cleaning are ok.
0
 

Expert Comment

by:Ociris4160
ID: 39989667
I have heard that Comodo antivirus is able to get rid of Criptolocker and decrypt your files. May be worth a shot.

http://antivirus.comodo.com/
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39990163
You heard? Where, if I may ask? Comodo cannot decrypt anything. How should it, without the key?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39990335
Okay. More than heard as far as protection goes: "CryptoLocker Ransomware Continues to Claim Victims, While Enterprises Remain Safe with Comodo Endpoint Security" at:

http://www.comodo.com/news/press_releases/2013/11/comodo-endpoint-security-protects-cryptoLocker-ransomware-virus.html >
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39990410
Comodo says they can stop the CrptoLocker virus from entering your system. They don't mention the ability to remote the encryption.

They are the only company I've seen that "offers customers up to a $5,000 limited warranty against infection."
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39991273
Have we answered your question?
0
 
LVL 1

Author Comment

by:agieryic
ID: 39991524
Learned a lot about this Cryptolocker in the past 48 hours.
I got Microsoft involved as well. we were looking for certificate that may have been left behind with no luck.  Basically there's nothing that can be done to decrypt the folders and files as mentioned above.

Server 2008
- We have a restore to replace all the encrpted folders. However since the server was compromised, it only makes since to rebuild. I am currently rebuilding a 2nd server to take its place to limit downtime

Windows 7 PC
- we have replaced the infected folders but will plan to rebuild in the near future.

Going to take the advice to try to secure the new server and network better
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39991531
Glad we could all help!
0
 
LVL 1

Author Closing Comment

by:agieryic
ID: 39991554
thanks for everyone's help
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Shared files and folders migration 2 67
DNS/WINS in a domain 10 93
Desktop loading is delayed 38 83
Symantec EndPoint Cloud Uninstall 7 25
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question