Solved

keyword search for cryptolocker-like encrypted files

Posted on 2015-01-05
2
462 Views
Last Modified: 2015-01-22
Recently we were hit by cryptolocker and were able to recover all our files from backups.  Now I periodically search our network file shares for keyword: decrypt

I do this to make sure there are no more cryptolocker-encrypted files on the network, since when cryptolocker encrypts files, it creates a decryptinstructions.txt (or something like that) file in every folder it infects.

But now I want to broaden my search and look for some other possible programs of the same type (or the results of those programs).

What else can I search for besides the keyword "decrypt" to look for tell-tale signs that a folder has been hit by other-than-cryptolocker programs that do the same type of thing (encrypt files for ransom).

Is there a website that lists variants and specifically lists what to look for in a file system.

And yes, I do have AV software... we had it when we originally got hit with cryptolocker.

Anyway, thanks for any help anyone can come up with on this subject.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40533048
This is one good source fro Cryptolocker and its history of events in its CryptoLocker Timeline as well as Guide Updates. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

It may highlight variant appearance but I rather use its search entry in the site to sieve out all such the variant and family of same ransomware genre. Below are the some key variants from the search.  
Also in specific for scavenging possible infection machine etc, it is good to see in each surfaced sample in its stated "Associated <Ransomware> Files" section, which is normally way below in each article. You can find those files or trails deposited during their infection.

I extracted some and left out some random folder and files created since it is not going to be useful for hunt. The keyword list may include the filename or even wildcard it if your script support that...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
%UserProfile%\Desktop\INSTALL_TOR.URL
http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL
0
 
LVL 63

Expert Comment

by:btan
ID: 40564313
Also I added in for  CTB Locker , another ransomware

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#files

%Temp%\<random>.exe
%MyDocuments%\AllFilesAreLocked <user_id>.bmp
%MyDocuments%\DecryptAllFiles <user_id>.txt
%MyDocuments%\<random>.html
%WinDir%\Tasks\<random>.job

And can have random file extension is .ztswgmc or .rlspiam
0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question