Solved

keyword search for cryptolocker-like encrypted files

Posted on 2015-01-05
2
465 Views
Last Modified: 2015-01-22
Recently we were hit by cryptolocker and were able to recover all our files from backups.  Now I periodically search our network file shares for keyword: decrypt

I do this to make sure there are no more cryptolocker-encrypted files on the network, since when cryptolocker encrypts files, it creates a decryptinstructions.txt (or something like that) file in every folder it infects.

But now I want to broaden my search and look for some other possible programs of the same type (or the results of those programs).

What else can I search for besides the keyword "decrypt" to look for tell-tale signs that a folder has been hit by other-than-cryptolocker programs that do the same type of thing (encrypt files for ransom).

Is there a website that lists variants and specifically lists what to look for in a file system.

And yes, I do have AV software... we had it when we originally got hit with cryptolocker.

Anyway, thanks for any help anyone can come up with on this subject.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40533048
This is one good source fro Cryptolocker and its history of events in its CryptoLocker Timeline as well as Guide Updates. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

It may highlight variant appearance but I rather use its search entry in the site to sieve out all such the variant and family of same ransomware genre. Below are the some key variants from the search.  
Also in specific for scavenging possible infection machine etc, it is good to see in each surfaced sample in its stated "Associated <Ransomware> Files" section, which is normally way below in each article. You can find those files or trails deposited during their infection.

I extracted some and left out some random folder and files created since it is not going to be useful for hunt. The keyword list may include the filename or even wildcard it if your script support that...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
%UserProfile%\Desktop\INSTALL_TOR.URL
http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL
0
 
LVL 64

Expert Comment

by:btan
ID: 40564313
Also I added in for  CTB Locker , another ransomware

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#files

%Temp%\<random>.exe
%MyDocuments%\AllFilesAreLocked <user_id>.bmp
%MyDocuments%\DecryptAllFiles <user_id>.txt
%MyDocuments%\<random>.html
%WinDir%\Tasks\<random>.job

And can have random file extension is .ztswgmc or .rlspiam
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question