Cryptolocker virus infection

Hello Experts,

A client of ours has been hit with a cryptolocker virus. The client uses a Domain controller running Server 2003 which we are in the process of upgrading.

They also use drop box & recently this has been compromised.

Attached are the file types which are contained in each subfolder that has been encrypted.

We are currently running Sophos Enterprise 5.2.1 R2. Any advice would be appreciated as we are unable to restore unless we pay the ransom fee.
LVL 1
unrealone1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wayne88Commented:
Unfortunately there I don't know of any fix for this except to reimage from backup.  Do your client have a solid daily backup in place?

There is no attachment.  Can you repost?  Thanks.
unrealone1Author Commented:
Please find the image attached. We have checked our backup retention period & this runs up to 14 days only. The infection occurred on the 17th of Sept
Capture.PNG
Wayne88Commented:
Sorry, I haven't been able to confirm that anyone is ever successful at decrypting files encrypted by CryptoLocker.  However, you can try this:

http://www.bleepingcomputer.com/forums/t/543518/decryption-keys-are-now-freely-available-for-victims-of-cryptolocker/

Please be aware of the risk of losing the files forever and do it at your own risk.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Lee W, MVPTechnology and Business Process AdvisorCommented:
Sorry - I know you'd like to find a simple fix... but there's likely not one.  If you were infected with an OLD cryptolocker version then the keys are publicly available... if not, you have to pay.  And then you need to rethink your backups.  Cryptolocker is not a new kind of attack - it's been around over 2 years.

Keep in mind people doing these attacks are constantly learning from their "mistakes" - and making it harder and harder to recover.
andreasSystem AdminCommented:
yes in most cases you only have the 2 choices. restore from backup OR pay the ransom.
But if the attack was comming from ONE of the clients and the client the nexcrypted files on the server, you might have a chance to find some older versions of some files in the volume shadow copy of the server.

As the virus was not running on the server it may not have turned off the shadow copy service there.
If attacker somehow got domain admin then he also can turn off on server. In that case you need to resetup your ENTIRE domain from scratch. DO NO UPGRADE.

Setup a new server and rebuild the clients and then rejoin to the new domain.
If you migrate and rejoin old clients you might put a workstation manipulated by the attacker back to your new domain. The attacker might have changed some workstations in a different way with different backdoors to regain access after the cyrptolocjer clients have been kicked out.

No AV-Tool will detect all threats, especially if they are not FILE based.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
unrealone1Author Commented:
this is a stinker of a virus everyone, make sure AV is up to date and backups are robust.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.