Solved

keyword search for cryptolocker-like encrypted files

Posted on 2015-01-05
2
435 Views
Last Modified: 2015-01-22
Recently we were hit by cryptolocker and were able to recover all our files from backups.  Now I periodically search our network file shares for keyword: decrypt

I do this to make sure there are no more cryptolocker-encrypted files on the network, since when cryptolocker encrypts files, it creates a decryptinstructions.txt (or something like that) file in every folder it infects.

But now I want to broaden my search and look for some other possible programs of the same type (or the results of those programs).

What else can I search for besides the keyword "decrypt" to look for tell-tale signs that a folder has been hit by other-than-cryptolocker programs that do the same type of thing (encrypt files for ransom).

Is there a website that lists variants and specifically lists what to look for in a file system.

And yes, I do have AV software... we had it when we originally got hit with cryptolocker.

Anyway, thanks for any help anyone can come up with on this subject.
0
Comment
Question by:gateguard
  • 2
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40533048
This is one good source fro Cryptolocker and its history of events in its CryptoLocker Timeline as well as Guide Updates. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

It may highlight variant appearance but I rather use its search entry in the site to sieve out all such the variant and family of same ransomware genre. Below are the some key variants from the search.  
Also in specific for scavenging possible infection machine etc, it is good to see in each surfaced sample in its stated "Associated <Ransomware> Files" section, which is normally way below in each article. You can find those files or trails deposited during their infection.

I extracted some and left out some random folder and files created since it is not going to be useful for hunt. The keyword list may include the filename or even wildcard it if your script support that...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
%UserProfile%\Desktop\INSTALL_TOR.URL
http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL
0
 
LVL 62

Expert Comment

by:btan
ID: 40564313
Also I added in for  CTB Locker , another ransomware

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#files

%Temp%\<random>.exe
%MyDocuments%\AllFilesAreLocked <user_id>.bmp
%MyDocuments%\DecryptAllFiles <user_id>.txt
%MyDocuments%\<random>.html
%WinDir%\Tasks\<random>.job

And can have random file extension is .ztswgmc or .rlspiam
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now