Virus Attacked Cryptolocker

Posted on 2016-08-04
Medium Priority
Last Modified: 2016-08-29
Our company attacked virus called Cryptolocker,
Can any one let us know how to solve this step by step.
Question by:ukerandi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
LVL 97

Assisted Solution

by:Experienced Member
Experienced Member earned 500 total points (awarded by participants)
ID: 41742373
Step 1. Educate users not to open email and attachments from unknown sources.
Step 2. Isolate all machines from your server, scan for viruses and make certain the machines are virus-free.
Step 3. Recover your server documents from backup.

You cannot ever hope to recover an encrypted file. You must restore from backup.
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points (awarded by participants)
ID: 41742395
One of our users infect her self just by visiting a webpage (zeroday exploit). She had no admin rights, fully updated windows 8.1 and updated AV program

If You are running windows 7, 8 and 10, windows make on drive C by default previous versions.  


If you have no previous versions and no backup, you can Pay for decrypt program and hope that works.
LVL 10

Author Comment

ID: 41742396
How to find effected machines,What is the Anti Virus software for this
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 97

Expert Comment

by:Experienced Member
ID: 41742399
There is no particular AV for Cryptolocker. All paid good products protect.

To find an infected machine, isolate it and look through local documents. They are likely encrypted.
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 500 total points (awarded by participants)
ID: 41742411
You have to identify what kind of cryptolocker are you dealing with.


Then google for removing methodes.

Some version of cryptolocker encrypt network shares to.

what extensions have encrypted files?
LVL 31

Accepted Solution

Scott C earned 500 total points (awarded by participants)
ID: 41742419
Many times you will find a .txt or image document in each encrypted folder with instructions on how to "recover" your data.

As stated, restoring from backup is the best way.

If not, an the data is mission critical, and I mean LIVES CAN BE AT STAKE.  Such as a hospital, etc.  then you can try to pay the ransom.  This is not suggested as, again, you cannot be sure you will be able to recover the files and paying the people who did this only encourages them to continue.

But that is a decision YOU will have to make.

A local hospital was hit with ransomware, they paid the 17K and were able to get their data back, but there is no guarantee....you are dealing with criminals after all.
LVL 64

Assisted Solution

btan earned 500 total points (awarded by participants)
ID: 41742579
Suggest you check out bleedingcomputer article which bring thru the steps

To do when infected by Cryptolocker
-Confirm it is Cryptolocker (check out the https://id-ransomware.malwarehunterteam.com/)
-Disconnect infected machine from your wireless or wired network. (prevent it from further encrypting any files)
-Recommend that you do not pay the ransom. If you decided no need to pay the ransom, you can simply delete the Registry values and files and the program will not load anymore. (details under "Known file paths and registry keys used by CryptoLocker" section)
-Restore your data via other methods (see below listed and found in the article).

In case, you will want to find all encrypted files, they are actually listed by the ransomware and stored in the registry, you can use the ListCrilock program to export a human readable list of these encrypted files from the registry into a text file. See "How to find files that have been encrypted by CryptoLocker" section for more methods.

The article also suggested on a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

Also to determine encrypted files over the network, it is suggested you can also examine your network switches and look for the ports that have "heavy" or very "busy" lights that are continuously blinking as it indicate very heavy traffic. Likely the Ransomware is encrypting those files that are accessible in the infected machine network mapped folder. From there you can trace down the source IP to those computers may be infected.

For restoration approaches - not 100% as CL can remove them too. See section
-How to restore files encrypted by CryptoLocker using Shadow Volume Copies
-How to restore files that have been encrypted on DropBox folders

Moving ahead, I suggest a clean build though you may have done scanning and with alternate AV. See section below. Consider use of WinAntiRansom or Malwarebytes Anti-Ransomware
-How to prevent your computer from becoming infected by CryptoLocker
-How to allow specific applications to run when using Software Restriction Policies
LVL 42

Expert Comment

by:Adam Brown
ID: 41742985
The only acceptable way to recover from a Cryptolocker attack is restore from a backup. Most Cryptolocker variants will purge Shadow Copies before running, so don't rely on VSS to save you from these attacks. Protect *all* user accessible shared folders with a full backup suite that stores backups securely.

Don't even think about paying ransom, as doing so both encourages continued development of this kind of attack and puts you at risk of spending money and not getting anything from the attackers. They're already criminals, so they will certainly not care about actually delivering on their promises if you pay them.

It's actually pretty easy to determine which user was attacked by a Cryptolocker if your shared folders get hit. Right click the encrypted file, go to properties, select security tab, select Advanced. Whichever user is shown as the file's "Owner" is the one who got hit. Once that is identified, it's pretty easy to figure out which computers they've used (Ask them) and take them off the network.
LVL 10

Author Comment

ID: 41751310
Thank you very much for all advice.

I found one of our server had a the same virus,But it's NOT public shared folder.It's Shared only
Domain Controller and Administrator. So how is this happen?
LVL 64

Expert Comment

ID: 41751333
Rsnsomware can encrypt file in unmapped drive so long the logon account has the privilege to access and map the network shares. Some even are spread and carried by USB which is infected and may be plugged into that file server systems.

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question