Virus Attacked Cryptolocker

Our company attacked virus called Cryptolocker,
Can any one let us know how to solve this step by step.
LVL 10
Who is Participating?
Scott CConnect With a Mentor Senior Systems EnginerCommented:
Many times you will find a .txt or image document in each encrypted folder with instructions on how to "recover" your data.

As stated, restoring from backup is the best way.

If not, an the data is mission critical, and I mean LIVES CAN BE AT STAKE.  Such as a hospital, etc.  then you can try to pay the ransom.  This is not suggested as, again, you cannot be sure you will be able to recover the files and paying the people who did this only encourages them to continue.

But that is a decision YOU will have to make.

A local hospital was hit with ransomware, they paid the 17K and were able to get their data back, but there is no are dealing with criminals after all.
JohnConnect With a Mentor Business Consultant (Owner)Commented:
Step 1. Educate users not to open email and attachments from unknown sources.
Step 2. Isolate all machines from your server, scan for viruses and make certain the machines are virus-free.
Step 3. Recover your server documents from backup.

You cannot ever hope to recover an encrypted file. You must restore from backup.
Benjamin VoglarConnect With a Mentor IT ProCommented:
One of our users infect her self just by visiting a webpage (zeroday exploit). She had no admin rights, fully updated windows 8.1 and updated AV program

If You are running windows 7, 8 and 10, windows make on drive C by default previous versions.

If you have no previous versions and no backup, you can Pay for decrypt program and hope that works.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

ukerandiAuthor Commented:
How to find effected machines,What is the Anti Virus software for this
JohnBusiness Consultant (Owner)Commented:
There is no particular AV for Cryptolocker. All paid good products protect.

To find an infected machine, isolate it and look through local documents. They are likely encrypted.
Benjamin VoglarConnect With a Mentor IT ProCommented:
You have to identify what kind of cryptolocker are you dealing with.

Then google for removing methodes.

Some version of cryptolocker encrypt network shares to.

what extensions have encrypted files?
btanConnect With a Mentor Exec ConsultantCommented:
Suggest you check out bleedingcomputer article which bring thru the steps

To do when infected by Cryptolocker
-Confirm it is Cryptolocker (check out the
-Disconnect infected machine from your wireless or wired network. (prevent it from further encrypting any files)
-Recommend that you do not pay the ransom. If you decided no need to pay the ransom, you can simply delete the Registry values and files and the program will not load anymore. (details under "Known file paths and registry keys used by CryptoLocker" section)
-Restore your data via other methods (see below listed and found in the article).

In case, you will want to find all encrypted files, they are actually listed by the ransomware and stored in the registry, you can use the ListCrilock program to export a human readable list of these encrypted files from the registry into a text file. See "How to find files that have been encrypted by CryptoLocker" section for more methods.

The article also suggested on a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

Also to determine encrypted files over the network, it is suggested you can also examine your network switches and look for the ports that have "heavy" or very "busy" lights that are continuously blinking as it indicate very heavy traffic. Likely the Ransomware is encrypting those files that are accessible in the infected machine network mapped folder. From there you can trace down the source IP to those computers may be infected.

For restoration approaches - not 100% as CL can remove them too. See section
-How to restore files encrypted by CryptoLocker using Shadow Volume Copies
-How to restore files that have been encrypted on DropBox folders

Moving ahead, I suggest a clean build though you may have done scanning and with alternate AV. See section below. Consider use of WinAntiRansom or Malwarebytes Anti-Ransomware
-How to prevent your computer from becoming infected by CryptoLocker
-How to allow specific applications to run when using Software Restriction Policies
Adam BrownSr Solutions ArchitectCommented:
The only acceptable way to recover from a Cryptolocker attack is restore from a backup. Most Cryptolocker variants will purge Shadow Copies before running, so don't rely on VSS to save you from these attacks. Protect *all* user accessible shared folders with a full backup suite that stores backups securely.

Don't even think about paying ransom, as doing so both encourages continued development of this kind of attack and puts you at risk of spending money and not getting anything from the attackers. They're already criminals, so they will certainly not care about actually delivering on their promises if you pay them.

It's actually pretty easy to determine which user was attacked by a Cryptolocker if your shared folders get hit. Right click the encrypted file, go to properties, select security tab, select Advanced. Whichever user is shown as the file's "Owner" is the one who got hit. Once that is identified, it's pretty easy to figure out which computers they've used (Ask them) and take them off the network.
ukerandiAuthor Commented:
Thank you very much for all advice.

I found one of our server had a the same virus,But it's NOT public shared folder.It's Shared only
Domain Controller and Administrator. So how is this happen?
btanExec ConsultantCommented:
Rsnsomware can encrypt file in unmapped drive so long the logon account has the privilege to access and map the network shares. Some even are spread and carried by USB which is infected and may be plugged into that file server systems.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.