Link to home
Start Free TrialLog in
Avatar of Agrippa
AgrippaFlag for Netherlands

asked on

Is there a way to find out which virus has encrypted my files and how to decrypt them?

Hi all,

Is there a way to find out which virus has encrypted my files and how to decrypt them? Someone already removed the virus, but cannot tell me what virus is was.

The files effected have the extension .fgcorla added.

Thank you,
Avatar of ☠ MASQ ☠
☠ MASQ ☠

6/7 random character extensions are typical of the current Cryptolocker variants CTB Locker and Critroni
There is no magic bullet to fix this - hopefully you have backups you can restore.

You can read more about the current status of CTB Locker and Critroni here
http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information
No need to know what virus it was. Restore from backup. Then do not open emails from strangers. That is how you get your files encrypted.
Avatar of Agrippa

ASKER

Ok, I just found out it is actually: CTB-Locker

So: take out the HDD and replace and get the PC going again. Keep the disk locked away untill maybe some day there will be a decrypting tool?
SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Best to DBAN the disk and if needed reinstall clean OS.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Agrippa

ASKER

Wow! Those are staggering figures!

David: that encryption key that you talk about: if not backupped: by who? Where is that key? On the remote server or somewhere local and perhaps deleted while removing the virus?
The point is to extort money from you by criminal means. No point if in a month or two the files can be recovered.
the malware authors may have the key but they need the information from the malware to identify your computer, so they can give the key to you. They do not use the same key for other computers that they've infected.
Avatar of Agrippa

ASKER

I can see TXT files in the infected folders which tell me what to do on their site to regain the files. That TXT files contains keys in the format of a Windows XP product key. That is what they need, but offcourse you do not get a guarantee that the files will be recoverd.

What would you do? Save the drive for future restore options or is this a lost case?
Lost case. Find what you need from backup and move on.

If you do not have a backup, start fresh and now keep regular backups.
You're done.. delete the files, restore from backup. I'd probably go to the point of reinstalling the operating system and all files on the system drive because I'd not trust a machine that I know was compromised.
Avatar of Agrippa

ASKER

I also don't trust the current drive / software. I am going to safe the drive and data and put in an SSD drive. Start fresh.

However: now the discussion on how to best configure Windows to be able to prevent data loss and to prevent getting the virus. Let's not discuss on how a user should act, because we all know they mess up from time to time. I as a systems administrator want to leave the responsibility of a backup with the customer (I am talking home users). But perhaps I can configure shadow copies and I also saw this:

Clients:
http://info.kaspersky.nl/kes10_wsw.html?mkt_tok=eyJpIjoiTmpReU9HSXpNV1poWVRoaiIsInQiOiI1bTVuWFZxcERCeTZad3V1N1grdkJOV1FIaSs2ckhUVnJYVzEyZ2pTZGh2cjNpMFpQMnI1YTJONlV5ejR3K1wvTCtwT1Zndjg1b3paZzZMTnAxMWRPc01TdHJaSnY4N1JEd1wvbXlUNEpYZERFPSJ9

Servers:
http://info.kaspersky.nl/ks_ws_ac.html?mkt_tok=eyJpIjoiTmpReU9HSXpNV1poWVRoaiIsInQiOiI1bTVuWFZxcERCeTZad3V1N1grdkJOV1FIaSs2ckhUVnJYVzEyZ2pTZGh2cjNpMFpQMnI1YTJONlV5ejR3K1wvTCtwT1Zndjg1b3paZzZMTnAxMWRPc01TdHJaSnY4N1JEd1wvbXlUNEpYZERFPSJ9
Shadow copy is disabled by all current Crypto variants

Both the products reduce risk by looking specifically for crypto behavior to spot early but are not fully preventative.

It's worth looking at both of Thomas' Ransomware articles on this:
https://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
https://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
Avatar of Agrippa

ASKER

Is this ever going to stop? This is insane.

Only right thing to do is make sure there is a recent backup on a remote site, like Ahsay Online Backup.
I have been testing both BD anti ransomware and MBAM anti ransomware.  So far I have tried infecting a computer worth several variants of ransomware while protected by MBARW. The worst case scenario is that the ransomware leaves behind the nag screen, while NOT encrypting anything. MBARW is still in beta. For home users,  have them install hitmanpro.alert and WinPatrol Pro (Sophos, which acquired SurfRight,  is about to release Guardian, a replacement for hitmanpro.alert,  that will integrate with the rest of the Sophos suite.
Is this ever going to stop? This is insane.   <-- As I said, nothing you can do, and do not open strange emails (which is normally how you get the virus in the first instance).
In terms of backup,  I highly recommend CrashPlan for home users.  It is free to backup locally and unlimited cloud backup is reasonable.  CP does versioning backup,  so you can go back in time to retrieve an unencrypted version of your files.  Druva's inSync software is similar,  but for business. We use inSync at work,  and It is excellent.
Avatar of Agrippa

ASKER

Good one Thomas: Crashplan

Just tested it. There is not a single file in the backup destination folder that has a file extensions when the backup is done. I must look in to the free cloud storage.

Thing is that I want an escape feature on my customers pc's without them knowing, because I want them to be responsable for the backup, but it's nice to have a free feature in the background that might save the day.

Also: if Kaspersky reduces the risk with their new feature: it's a nice beginning combined with crashplan. However: we need to communicate the risks and "learn" users what NOT to do and make the feel the need of the backup, and that also means: choosing the right backup product. Many home users think they have a backup only because they own a USB HDD, but most of the time the data is ONLY on the USB drive OR the backup is made once a year OR the drive stays connected to the PC permanently so both get infected worst case...
Avatar of Agrippa

ASKER

One more question:

let's say that for the customer it would be worth 2500 dollar to get the data back, f.i.: if the harddisk was broken (bad sectors). In this case we have the CTB locker and the hijackers ask 1000 dollars to decrypt the data: would anyone of you say: well, if money is not a factor: give it a try...

As far as I can see it would be the only (very slight) change to get the data back.
Giving criminals blackmail money is no guarantee of success . Some people spend the money and succeed and some are very disappointed.
Not everyone gets a decryption key,  those who do have only a 50/50 chance of getting one that doesn't have a malware payload, IMHO. So it is best not to give criminals money,  in general,  and especially ones that may rook you anyway.
Avatar of Agrippa

ASKER

Ok John, but in reality (if only 1%) it would be the only change if you have no backup, isn't it?
Pretty much yes.
Avatar of Agrippa

ASKER

I put in a new drive, since I never delete data of a customer. Therefor I gave the encrypted disk (cleaned the virus) to the customer to save. The PC is freshly installed, but offcourse with no old data.

We need to learn people to make backups and to learn to recognize dangerous situations.

Thank you all
Thanks for the update. I agree with you.
Avatar of Agrippa

ASKER

IMPORTANT UPDATE:

Yesterday I have followed a ransomware seminar hosted by 3 specialist who deal with this issue 40 hours per week. They develop anti ransomware toolkits etc. Very interesting seminar. One thing I need to say here on EE. Those experts had seen hundreds of ransom situations and ALL of the people who payed the criminals got their data back. Not a single one who didn't. The seminar was given by specialists hired by our online backup partner. Very trustworthy.

No guarantees from my side, but my fait has grown in giving this a try if all hope is lost. If someone does: please write a comment, I surely will if that time ever comes.
Avatar of Agrippa

ASKER

CHECK THIS OUT!

Just found out the webinar is online on Youtube, please check this out, VERY interesting, a real eye opener:

First it is shortly in Dutch, few minutes later in English since the experts are from the USA:

https://www.youtube.com/watch?v=W7GAOt4womc
ALL of the people who payed the criminals got their data back. Not a single one who didn't

That surprises me. The sample of people may have been from a group that the specialists specifically surveyed. I am not convinced that ALL people from EVERYWHERE got their data back from dishonest crooks.
Avatar of Agrippa

ASKER

Hi John,

correct, I agree, my guess is the same. But they know the outcome of hundreds of cases of their own, everyone who payed got it back. Looking at situations where data loss is not an option there is a fair chance you might get the data back by paying, no guarantees offcourse. If you follow the webinar you will notice they know a lot of this phenomenon.

Offcourse the specialists in this case and myself do not promote paying the criminals.
Some ransomeware authors really want to restore the data after getting paid, since if no one was able to recover their data no one would pay. That being said you are paying an anonymous person with the hope of getting your data back. The FBI and other police departments don't want you to pay the ransom. Paying the ransom only gives more incentive to the crooks to infect more computers. If no one paid then these attacks would go away, The tactics have changed in the last month from targeting  businesses to targeting individuals, and asking for smaller payments but making it up in volume.
"Those experts had seen hundreds of ransom situations and ALL of the people who payed the criminals got their data back. Not a single one who didn't. "

This is my understanding too - as David says if when the ransom is paid the hostages aren't released then very soon the act of ransom becomes devalued and no one pays.

The only caveat is there are script kiddies out there who try to re-engineer the Cryptovariants & who have no interest in unectrypting and just want the Bitcoins in their accounts via Tor
Avatar of Agrippa

ASKER

Hi Masq and David,

I understand and agree, but my goal in this case is getting the data back first. That is why this will never stop. People and especially companies who are the victim of ransomware and need their data back at all cost will always pay if all other options are unsuccesful.

If no one would ever pay again: yes, then the problem will die out, but that will never happen. That is also what those experts tell in the webinar: good guys think of something to stop this madness, bad guys will notice and try to get around that barrier. Neverending story.
The only solution is backup, backup backup using separate accounts to areas that the users cannot access.
Avatar of Agrippa

ASKER

Hi David,

that is only a solution upfront, before it happens. Since there is no decrypter tool, the only option of getting the data back is by taking the chance of paying.

But offcourse, for all people who haven't lost their data (yet): backup and try to recognize risks and act accordingly.

There is in fact way more you can do to a certain level, for those interested, watch this, many tips and tricks:

 https://www.youtube.com/watch?v=W7GAOt4womc