[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

CBT-Locker Ransomware

one of my clients received this extortion malware and want to know what the best possible solution is to retrieve the documents that it encrypted?

It appears the installed Antivirus (Trend Micro WFBS Advanced v9.0 SP1) deleted the locker program, however, I have not been able to locate a solution to decrypt the files on this PC.

TAGS: Ransomware, CBT-Locker, cryptolocker, cryptoransomware

Any suggestions or solutions?
Thanks
ECSI06
0
ECSI06
Asked:
ECSI06
  • 2
  • 2
3 Solutions
 
Trenton KnewOwner / Computer WhispererCommented:
If the user has "Previous Versions" (ms shadow copy service) enabled, that is the easiest way...

right-click an affected folder,  click properties, then Previous Versions.

If you're lucky, you can restore an older version, otherwise, with no backup, you're in REALLY bad shape.

There are some tools on the internet for decrypting crypolocker files, (such as https://www.decryptcryptolocker.com/ for example) but they don't work with every algorithm of this threat.  so results are shaky at best
0
 
ECSI06Author Commented:
I actually have an offsite backup for all of the document files (Word, Excel, Photos, Etc.) on this pc from last week, however, will those files be infected too? Should I just remove this infected hard drive and install a new hard + O/S and attempt to the restore the data files?

If I attempt to restore this system from an ms shadow copy or use the cryptolocker and it fails... I'm not sure how much the ransom demand is yet vs. time left so is it worth considering the ransom (if its a small amount) as opposed to rebuilding the entire system? Or, will the ransom demands just perpetuate and increase based on blocks of data?

Thanks
ECSI06
0
 
Trenton KnewOwner / Computer WhispererCommented:
your offsite backup should be safe so long as they haven't let this problem roll along for an entire week or longer.  even so, you should hopefully have an incremental backup to restore older versions there too.  

See if you can download one of the affected files from the backup to a different computer or flash drive and open it.  If this works, then step one becomes eliminate the virus FIRST.  Malwarebytes would be good for that.  If the backup is NO good On the other hand, removing the virus first might mean your files are gone forever, since the ½ of the encryption key pair is not stored on the remote attacker's server.  

If you decide to succumb to the threat and pay the money, it is imperative that the virus not get removed before your files are decrypted.  If you find yourself in the unfortunate position to have to choose this route, I HIGHLY recommend going to get some kind of prepaid "throw away" gift card.  so that the extortionist cannot use it again.

I hope you don't have to go that route though.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
As you have already heard, there is no reasonable way to decrypt the files other than restore from backup or pay the ransom (even then you don't know for sure if you will receive the decryption key).  Your best protection against this is versioning backup offsite (Crashplan, Spideroak, Comodo, etc - NOT dropbox because dropbox is not a backup and they will take more than a few days to process a request for file recovery - they do do versioning though).
0
 
ECSI06Author Commented:
Thanks for the recommendations as I was able to retrieve some of the items (located within the Users/Documents Folder) from "Previous Versions" on the PC after removing the malware. The "Previous Versions" option did not work with any of the items listed within the Program Files folder(?) Because of the time involved and nature of this "ransom demand", I just decided to install a new hard drive in the pc and reinstall the operating system from scratch,  then, copy the items that I was able to retrieve from the "Previous Versions" options and the offsite data backup location to get 99.99% of the users data restored. In addition, I modified the end user rights from Administrator to a Domain User on this PC!
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now