Solved

Ransomware encrypted files - Windows 7 desktop

Posted on 2014-04-23
40
935 Views
Last Modified: 2014-04-29
The attached message appeared on my desktop today and I need some direction on how to remove the virus/malware.  I have read some other posts and it appears that it not very easy to do.  I have shutdown my pc and disconnected my external drive (that has some of my backup files on it).  Please advise what steps I should take to fix this issue - should I remove the virus/malware - and how should I do that - via software or edit registry files?  If you could provide the steps I would certainly appreciate the help.  Also, what do I try after that if all of my files are encrypted?  Also, I use an accounting software (Sage Accounting) - would these files be affected as well??  One post indicated they needed to know what variant of this virus/malware I had -- hopefully the photo attached will help.
Thank you,
IMG-1362.jpeg
0
Comment
Question by:mmj1
  • 14
  • 13
  • 5
  • +4
40 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 300 total points
Comment Utility
Please have a read of my blog for help on tackling this nasty ransomware virus called cryptolocker:

http://alanhardisty.wordpress.com/2013/10/22/cryptolocker-ransom-virus-cleanup/

You basically have two choices - pay up and hope they unencrypt your files, or if you have a full backup and have Shadow Copies enabled on your computer, then you can go ahead and just splat the infection and recover your files.

Alan
0
 
LVL 6

Assisted Solution

by:Ricardo Martínez
Ricardo Martínez earned 68 total points
Comment Utility
That is Crypto Locker virus, your files are now encrypted, hope you had a backup of them. Look at this, where they try to recover your files using System Restore, Malware Scanners and some other tools, cause this variant of encrypting malware is the worst:

http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
Without a backup image, you are out of luck.  Sorry.
0
 
LVL 51

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 66 total points
Comment Utility
Hi mmj1,
We're in the middle of another question here at EE on the same exact subject:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_28407936.html

Also, if you search EE for "cryptolocker" you'll get a ton of hits. Regards, Joe
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 66 total points
Comment Utility
There are several tools outside (different vendors) to remove ransomware cryptolocker.
If you search for these keywords, you find instructions. But do not download any rescue software with the exception of well known security companies an only from their web site.

You can have a look here:
i.e. http://www.sophos.com/en-us.aspx others from other vendors avira, mcafee or symantec.

As such trojaner involve into the start sequence of windows and mostly block task manager, regedit and other tools needed to kill viruses, it is sometimes not quite easy to get rid of them if they are started. You can either boot into a DOS / Linux shell (sometimes included by the virus vendors) and boot into their shell and scan the computer.

Also possible, but to be handled with care is to scan the disc from a different computer.

If save boot is possible, then you can try this, if you have a change to open something like task-manager, then you can try to find the trojaner executables (which has usually some cryptic names and a very actual date) to inactivate the trojaner. But you have to find all of them otherwise they will reactivate themselves.

So best method is a DOS / Linux based shell virus scanner, which you can start by bootong into a Disk, USB or CD and start a full disc scan from there.  Even if these tools doesn't necessary find all connected files, they can inactivate the trojaner and then you can continue to remove all remaining fragments, i.e. wih malwarebytes etc.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
I have yet to see any tool recover from cryptolocker or it's variants.  They generally charge 10 bitcoins for the decryption key (currently valued at 485.10 dollars/bitcoin by preev.com - 4851.00 total)  so unless your data is worth close to $5000 reformat and continue.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
There are no tools that can recover the encrypted files - but you can eliminate the virus and recover from backup / shadow copies if available.

If backups / shadow copies aren't available then it's either pay up or kiss the data goodbye.

Then once you have got past the situation, invest in a solid, reliable, offsite backup solution not Dropbox or the likes).
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
When you do invest in backup, make sure it has versioning (many do).  Versioning will allow you to go back many versions (depending on your subscription) so you can recover the latest version that is not encrypted.  We have successfully recovered a computer that was infected with cryptolocker because it was using crashplanPROe.  There are many others (spideroak, comodo, etc...).

A colleague of mine has this in his email signature:

Remember: Any data you don't have saved in at least 2 other places, is data you don't care about.
0
 

Author Comment

by:mmj1
Comment Utility
I am considering paying the ransom - I have heard that doesn't work anymore?  Has anyone had success recently paying the ransom??  Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
There are stories of it working while thee are stories of it not working - it's your money, it's your call and if you don't have a backup, then it's one way, probably the only way to get your files back.

If your files are that important and you have exhausted the options I have laid out in my blog (Shadow Copies), then it is probably your only choice if you need the files back.

Alan
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Mmh, this is a criminal fraud. You have the imagination, that they are so gentle to give you some services for your money? Maybe their address or bank account number?

I guess the "working" stories are only from the people, who want to have the money...
But, you never can know....
0
 

Author Comment

by:mmj1
Comment Utility
Very good point Bembi....
0
 
LVL 6

Expert Comment

by:Ricardo Martínez
Comment Utility
Is that important your information? cause i don't think they will give you the key to remove the encryption... i'm a bit paranoic, and if i were you, i would think it will not work, or it will remove encryption and instantly encrypt them again, any bad idea you can imagine... any way, is your information so important to threw away $500? it's better to just loose the information than to loose the information and $500...
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Closer to $5000. They generally have been good about providing the key (although I have no first hand experience). Check out preev.com for the bitcoin conversion (don't forget to multiply by 10).
0
 

Author Comment

by:mmj1
Comment Utility
The message I received indicates you have to pay $500 - you have to buy a MoneyPak card from Walmart or another retailer and that max you can purchase on that card is $500 -- so I assume it is $500....
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
They generally have been good about providing the key (although I have no first hand experience).

In jest (please no offense -- implicitly or explicitly):

Yes.
Sure of what we know not, and
Unsure of
What we know.

;-)
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Jest heh? Well I have NEVER heard of cryptolocker asking you to do anything but pay by bitcoin.  I would guess in this case you will get nada if you pay.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
You see the, even the hackers don't like Bitcoins anymore...

OK, but don't want to put this into a funny scope...

If somebody wants to have a supermarket card, ...

But...
such cards have numbers, right....?, and the cash stations can regognize them, right....?

OK, just to let you know, that

a.) I do not really see a change to decrypt data, which is already encrypted. But there is a chance, that not everything is already encrypted.
So first step woul dbe to see, what you can recover.
b.) For the remaining stuff, I would say the chance is 1:10 against you, that you get the key.
c.) But the supermarket cards looks interesting, at least if you can catch the originator, you may catch the key this way...,
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
mmj1 - Have you exhausted the options to recover your data at this point?

You haven't provided any feedback about this and the question is now veering off to the ethical aspect of being held to ransom and the chances of catching the perpetrators.

If you have exhausted the options to recover your data, then please advise and I'll bow out because there is nothing new to add to this question and nothing we can do to get your data back.

Alan
0
 

Author Comment

by:mmj1
Comment Utility
I have tried everything to recover my data - but all documents m- doc xls jpg etc are inaccessible.  I had an external drive with my backup but that was hit too.  My biggest concern was my Sage Peachtree backup and I sm still not sure that was affected  - that file extension is PTB and from what I read that doesn't appear to be an affected extension but I won't know until I do a clean install of win7 and install the application and restore from my backup.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Have you looked for Shadow Copies on your computer?
0
 

Author Comment

by:mmj1
Comment Utility
I did check a few individual files and I do not see any previous versions - I guess this is not turned on
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Ah!  Have you tried using Shadow Explorer (as per the Bleeping Computer link in my blog)?

http://www.shadowexplorer.com/downloads.html

Alan
0
 

Author Comment

by:mmj1
Comment Utility
No I will give that a try and let you know - thank you
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems - fingers crossed it works.
0
 

Author Comment

by:mmj1
Comment Utility
I installed the shadow copy but the only previous date was on 4-23 and those files were also encrypted.  So looks like I am out of options.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That's a shame.  Sorry.

So if the data is important, then you seem to only have one choice :(

Do you use anything like Dropbox / iDrive or any on-line backup program by any chance?
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
If you use dropbox, they will recover those files, but it generally takes a couple of days.
0
 

Author Comment

by:mmj1
Comment Utility
I would assume it is best to do a clean install on my PC rather than try to remove the virus-is that correct?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Following the steps in my article for the customer I had with the problem was sufficient for them and no repercussions since.

Complete rebuild is the only guaranteed way to be 100% sure, but it is a bit long-winded.

Depends how cautious you like to be.  At the end of the day, the virus was probably sent to you in an email and you probably opened the attachment in it so even with a complete rebuild, if you open another infected attachment a week later, then the rebuild will all be for nothing.

If you implement some good Anti-Spam and tread very carefully when getting emails with attachments claiming to come from Amazon / USPS etc, then you should be pretty safe.

Alan
0
 

Author Comment

by:mmj1
Comment Utility
I may try your steps first - but a couple of initial questions -  so my outlook 2010 - it opens ok and all of my emails are there - so do I just keep using my email or do I have to delete that outlook pst?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If it opens fine - then keep it - just be extra wary of attachments.

The Bleepingcomputer link in my blog lists a lot of the email messages types that are known to be associated with the cryptolocker virus.

Essentially keep an eye open for emails with attachments such as invoices / missed post deliveries that you weren't expecting, Amazon invoices for items you didn't order and if in any doubt, don't open the attachment.  What's the worst than can happen if you don't open it?

Alan
0
 

Author Comment

by:mmj1
Comment Utility
Alan, I followed the steps in your blog and have a few questions:
1) I ran the Rkill (iexplore.exe) and that ran fine and created a notepad item with info in it
2) I tried to run the taskkill command and it replied with no processes to kill
3) I ran RogueKiller and there were 9 items found in the registry - I clicked delete and several items were deleted and others showed not found
4) I looked for the dll files you referenced but there were none listed in the "roaming" folder
5) I rebooted and the background still shows the cyrpto message

Not sure if you can advise why I was not able to perform some of the steps and what other steps should I follow to verify the virus is gone.

Thank you
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The message you see is usually just a picture on the desktop that displays as the wallpaper.  Change the wallpaper and remove the image.

The taskkill step is only necessary if you have two processes running and the rkill (iexplore.exe) doesn't kill them both.

Roguekiller may have zapped the dll's.

Alan
0
 

Author Comment

by:mmj1
Comment Utility
I did remove the crypto message on the wallpaper and now the background is just black - tried to set the wallpaper back to the default windows background but it didn't return to the blue background.  Will have to try picking another background.

Other than that all seems to be ok now.  Not sure if there is anything else I can check to make sure it is completely gone.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can give it a scan with Malwarebytes or similar.  If that doesn't find anything else then I would expect it to have disappeared.  Then you just have to tread carefully when opening those emails in future.

Anything with a .zip attachment - give it a wide berth!!

Alan
0
 

Author Comment

by:mmj1
Comment Utility
Actually, I did scan in safe mode with Malwarebytes and it did detect two items (one being the zip file that I believe was the culprit) - it was in the temp folder and it did delete it.
Thank you again for all of your help!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That's good - but you may want to run MalwareBytes in normal mode too.  Safe mode isn't the best mode to run it.

You're welcome.

Alan
0
 

Author Comment

by:mmj1
Comment Utility
ok - will do.
0
 

Author Closing Comment

by:mmj1
Comment Utility
Thanks to everyone for their input and time assisting me with my issue.  It is appreciated.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now