Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

keyword search for cryptolocker-like encrypted files

Posted on 2015-01-05
2
Medium Priority
?
474 Views
Last Modified: 2015-01-22
Recently we were hit by cryptolocker and were able to recover all our files from backups.  Now I periodically search our network file shares for keyword: decrypt

I do this to make sure there are no more cryptolocker-encrypted files on the network, since when cryptolocker encrypts files, it creates a decryptinstructions.txt (or something like that) file in every folder it infects.

But now I want to broaden my search and look for some other possible programs of the same type (or the results of those programs).

What else can I search for besides the keyword "decrypt" to look for tell-tale signs that a folder has been hit by other-than-cryptolocker programs that do the same type of thing (encrypt files for ransom).

Is there a website that lists variants and specifically lists what to look for in a file system.

And yes, I do have AV software... we had it when we originally got hit with cryptolocker.

Anyway, thanks for any help anyone can come up with on this subject.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40533048
This is one good source fro Cryptolocker and its history of events in its CryptoLocker Timeline as well as Guide Updates. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

It may highlight variant appearance but I rather use its search entry in the site to sieve out all such the variant and family of same ransomware genre. Below are the some key variants from the search.  
Also in specific for scavenging possible infection machine etc, it is good to see in each surfaced sample in its stated "Associated <Ransomware> Files" section, which is normally way below in each article. You can find those files or trails deposited during their infection.

I extracted some and left out some random folder and files created since it is not going to be useful for hunt. The keyword list may include the filename or even wildcard it if your script support that...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
%UserProfile%\Desktop\INSTALL_TOR.URL
http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL
0
 
LVL 65

Expert Comment

by:btan
ID: 40564313
Also I added in for  CTB Locker , another ransomware

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#files

%Temp%\<random>.exe
%MyDocuments%\AllFilesAreLocked <user_id>.bmp
%MyDocuments%\DecryptAllFiles <user_id>.txt
%MyDocuments%\<random>.html
%WinDir%\Tasks\<random>.job

And can have random file extension is .ztswgmc or .rlspiam
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question