?
Solved

keyword search for cryptolocker-like encrypted files

Posted on 2015-01-05
2
Medium Priority
?
488 Views
Last Modified: 2015-01-22
Recently we were hit by cryptolocker and were able to recover all our files from backups.  Now I periodically search our network file shares for keyword: decrypt

I do this to make sure there are no more cryptolocker-encrypted files on the network, since when cryptolocker encrypts files, it creates a decryptinstructions.txt (or something like that) file in every folder it infects.

But now I want to broaden my search and look for some other possible programs of the same type (or the results of those programs).

What else can I search for besides the keyword "decrypt" to look for tell-tale signs that a folder has been hit by other-than-cryptolocker programs that do the same type of thing (encrypt files for ransom).

Is there a website that lists variants and specifically lists what to look for in a file system.

And yes, I do have AV software... we had it when we originally got hit with cryptolocker.

Anyway, thanks for any help anyone can come up with on this subject.
0
Comment
Question by:gateguard
  • 2
2 Comments
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 40533048
This is one good source fro Cryptolocker and its history of events in its CryptoLocker Timeline as well as Guide Updates. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

It may highlight variant appearance but I rather use its search entry in the site to sieve out all such the variant and family of same ransomware genre. Below are the some key variants from the search.  
Also in specific for scavenging possible infection machine etc, it is good to see in each surfaced sample in its stated "Associated <Ransomware> Files" section, which is normally way below in each article. You can find those files or trails deposited during their infection.

I extracted some and left out some random folder and files created since it is not going to be useful for hunt. The keyword list may include the filename or even wildcard it if your script support that...
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
%UserProfile%\Desktop\INSTALL_TOR.URL
http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL
0
 
LVL 66

Expert Comment

by:btan
ID: 40564313
Also I added in for  CTB Locker , another ransomware

http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information#files

%Temp%\<random>.exe
%MyDocuments%\AllFilesAreLocked <user_id>.bmp
%MyDocuments%\DecryptAllFiles <user_id>.txt
%MyDocuments%\<random>.html
%WinDir%\Tasks\<random>.job

And can have random file extension is .ztswgmc or .rlspiam
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question