Go Premium for a chance to win a PS4. Enter to Win


CBT-Locker Ransomware

Posted on 2015-02-04
Medium Priority
Last Modified: 2015-02-19
one of my clients received this extortion malware and want to know what the best possible solution is to retrieve the documents that it encrypted?

It appears the installed Antivirus (Trend Micro WFBS Advanced v9.0 SP1) deleted the locker program, however, I have not been able to locate a solution to decrypt the files on this PC.

TAGS: Ransomware, CBT-Locker, cryptolocker, cryptoransomware

Any suggestions or solutions?
Question by:ECSI06
  • 2
  • 2

Accepted Solution

Trenton Knew earned 1050 total points
ID: 40588944
If the user has "Previous Versions" (ms shadow copy service) enabled, that is the easiest way...

right-click an affected folder,  click properties, then Previous Versions.

If you're lucky, you can restore an older version, otherwise, with no backup, you're in REALLY bad shape.

There are some tools on the internet for decrypting crypolocker files, (such as https://www.decryptcryptolocker.com/ for example) but they don't work with every algorithm of this threat.  so results are shaky at best

Author Comment

ID: 40589043
I actually have an offsite backup for all of the document files (Word, Excel, Photos, Etc.) on this pc from last week, however, will those files be infected too? Should I just remove this infected hard drive and install a new hard + O/S and attempt to the restore the data files?

If I attempt to restore this system from an ms shadow copy or use the cryptolocker and it fails... I'm not sure how much the ransom demand is yet vs. time left so is it worth considering the ransom (if its a small amount) as opposed to rebuilding the entire system? Or, will the ransom demands just perpetuate and increase based on blocks of data?


Assisted Solution

by:Trenton Knew
Trenton Knew earned 1050 total points
ID: 40589807
your offsite backup should be safe so long as they haven't let this problem roll along for an entire week or longer.  even so, you should hopefully have an incremental backup to restore older versions there too.  

See if you can download one of the affected files from the backup to a different computer or flash drive and open it.  If this works, then step one becomes eliminate the virus FIRST.  Malwarebytes would be good for that.  If the backup is NO good On the other hand, removing the virus first might mean your files are gone forever, since the ½ of the encryption key pair is not stored on the remote attacker's server.  

If you decide to succumb to the threat and pay the money, it is imperative that the virus not get removed before your files are decrypted.  If you find yourself in the unfortunate position to have to choose this route, I HIGHLY recommend going to get some kind of prepaid "throw away" gift card.  so that the extortionist cannot use it again.

I hope you don't have to go that route though.
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 450 total points
ID: 40589861
As you have already heard, there is no reasonable way to decrypt the files other than restore from backup or pay the ransom (even then you don't know for sure if you will receive the decryption key).  Your best protection against this is versioning backup offsite (Crashplan, Spideroak, Comodo, etc - NOT dropbox because dropbox is not a backup and they will take more than a few days to process a request for file recovery - they do do versioning though).

Author Closing Comment

ID: 40619620
Thanks for the recommendations as I was able to retrieve some of the items (located within the Users/Documents Folder) from "Previous Versions" on the PC after removing the malware. The "Previous Versions" option did not work with any of the items listed within the Program Files folder(?) Because of the time involved and nature of this "ransom demand", I just decided to install a new hard drive in the pc and reinstall the operating system from scratch,  then, copy the items that I was able to retrieve from the "Previous Versions" options and the offsite data backup location to get 99.99% of the users data restored. In addition, I modified the end user rights from Administrator to a Domain User on this PC!

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Experts Exchange expands question security options for members.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question