CBT-Locker Ransomware

Posted on 2015-02-04
Last Modified: 2015-02-19
one of my clients received this extortion malware and want to know what the best possible solution is to retrieve the documents that it encrypted?

It appears the installed Antivirus (Trend Micro WFBS Advanced v9.0 SP1) deleted the locker program, however, I have not been able to locate a solution to decrypt the files on this PC.

TAGS: Ransomware, CBT-Locker, cryptolocker, cryptoransomware

Any suggestions or solutions?
Question by:ECSI06
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

Trenton Knew earned 350 total points
ID: 40588944
If the user has "Previous Versions" (ms shadow copy service) enabled, that is the easiest way...

right-click an affected folder,  click properties, then Previous Versions.

If you're lucky, you can restore an older version, otherwise, with no backup, you're in REALLY bad shape.

There are some tools on the internet for decrypting crypolocker files, (such as for example) but they don't work with every algorithm of this threat.  so results are shaky at best

Author Comment

ID: 40589043
I actually have an offsite backup for all of the document files (Word, Excel, Photos, Etc.) on this pc from last week, however, will those files be infected too? Should I just remove this infected hard drive and install a new hard + O/S and attempt to the restore the data files?

If I attempt to restore this system from an ms shadow copy or use the cryptolocker and it fails... I'm not sure how much the ransom demand is yet vs. time left so is it worth considering the ransom (if its a small amount) as opposed to rebuilding the entire system? Or, will the ransom demands just perpetuate and increase based on blocks of data?


Assisted Solution

by:Trenton Knew
Trenton Knew earned 350 total points
ID: 40589807
your offsite backup should be safe so long as they haven't let this problem roll along for an entire week or longer.  even so, you should hopefully have an incremental backup to restore older versions there too.  

See if you can download one of the affected files from the backup to a different computer or flash drive and open it.  If this works, then step one becomes eliminate the virus FIRST.  Malwarebytes would be good for that.  If the backup is NO good On the other hand, removing the virus first might mean your files are gone forever, since the ½ of the encryption key pair is not stored on the remote attacker's server.  

If you decide to succumb to the threat and pay the money, it is imperative that the virus not get removed before your files are decrypted.  If you find yourself in the unfortunate position to have to choose this route, I HIGHLY recommend going to get some kind of prepaid "throw away" gift card.  so that the extortionist cannot use it again.

I hope you don't have to go that route though.
LVL 28

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 150 total points
ID: 40589861
As you have already heard, there is no reasonable way to decrypt the files other than restore from backup or pay the ransom (even then you don't know for sure if you will receive the decryption key).  Your best protection against this is versioning backup offsite (Crashplan, Spideroak, Comodo, etc - NOT dropbox because dropbox is not a backup and they will take more than a few days to process a request for file recovery - they do do versioning though).

Author Closing Comment

ID: 40619620
Thanks for the recommendations as I was able to retrieve some of the items (located within the Users/Documents Folder) from "Previous Versions" on the PC after removing the malware. The "Previous Versions" option did not work with any of the items listed within the Program Files folder(?) Because of the time involved and nature of this "ransom demand", I just decided to install a new hard drive in the pc and reinstall the operating system from scratch,  then, copy the items that I was able to retrieve from the "Previous Versions" options and the offsite data backup location to get 99.99% of the users data restored. In addition, I modified the end user rights from Administrator to a Domain User on this PC!

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question