Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

CBT-Locker Ransomware

Posted on 2015-02-04
Last Modified: 2015-02-19
one of my clients received this extortion malware and want to know what the best possible solution is to retrieve the documents that it encrypted?

It appears the installed Antivirus (Trend Micro WFBS Advanced v9.0 SP1) deleted the locker program, however, I have not been able to locate a solution to decrypt the files on this PC.

TAGS: Ransomware, CBT-Locker, cryptolocker, cryptoransomware

Any suggestions or solutions?
Question by:ECSI06
  • 2
  • 2

Accepted Solution

Trenton Knew earned 350 total points
ID: 40588944
If the user has "Previous Versions" (ms shadow copy service) enabled, that is the easiest way...

right-click an affected folder,  click properties, then Previous Versions.

If you're lucky, you can restore an older version, otherwise, with no backup, you're in REALLY bad shape.

There are some tools on the internet for decrypting crypolocker files, (such as https://www.decryptcryptolocker.com/ for example) but they don't work with every algorithm of this threat.  so results are shaky at best

Author Comment

ID: 40589043
I actually have an offsite backup for all of the document files (Word, Excel, Photos, Etc.) on this pc from last week, however, will those files be infected too? Should I just remove this infected hard drive and install a new hard + O/S and attempt to the restore the data files?

If I attempt to restore this system from an ms shadow copy or use the cryptolocker and it fails... I'm not sure how much the ransom demand is yet vs. time left so is it worth considering the ransom (if its a small amount) as opposed to rebuilding the entire system? Or, will the ransom demands just perpetuate and increase based on blocks of data?


Assisted Solution

by:Trenton Knew
Trenton Knew earned 350 total points
ID: 40589807
your offsite backup should be safe so long as they haven't let this problem roll along for an entire week or longer.  even so, you should hopefully have an incremental backup to restore older versions there too.  

See if you can download one of the affected files from the backup to a different computer or flash drive and open it.  If this works, then step one becomes eliminate the virus FIRST.  Malwarebytes would be good for that.  If the backup is NO good On the other hand, removing the virus first might mean your files are gone forever, since the ½ of the encryption key pair is not stored on the remote attacker's server.  

If you decide to succumb to the threat and pay the money, it is imperative that the virus not get removed before your files are decrypted.  If you find yourself in the unfortunate position to have to choose this route, I HIGHLY recommend going to get some kind of prepaid "throw away" gift card.  so that the extortionist cannot use it again.

I hope you don't have to go that route though.
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 150 total points
ID: 40589861
As you have already heard, there is no reasonable way to decrypt the files other than restore from backup or pay the ransom (even then you don't know for sure if you will receive the decryption key).  Your best protection against this is versioning backup offsite (Crashplan, Spideroak, Comodo, etc - NOT dropbox because dropbox is not a backup and they will take more than a few days to process a request for file recovery - they do do versioning though).

Author Closing Comment

ID: 40619620
Thanks for the recommendations as I was able to retrieve some of the items (located within the Users/Documents Folder) from "Previous Versions" on the PC after removing the malware. The "Previous Versions" option did not work with any of the items listed within the Program Files folder(?) Because of the time involved and nature of this "ransom demand", I just decided to install a new hard drive in the pc and reinstall the operating system from scratch,  then, copy the items that I was able to retrieve from the "Previous Versions" options and the offsite data backup location to get 99.99% of the users data restored. In addition, I modified the end user rights from Administrator to a Domain User on this PC!

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Admin account lockout 10 52
xss alert in domino url 9 33
Exchange 2010 upgrade to 2013 certificate issue 2 27
SMTP connect() failed - WordPress 6 22
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question