as you say it goes against everything, but these photos are worth soo much to us
can you please explain what registry files I need to put back
it is worth the $300 if that's what it takes, and a steep learning curve!
Posted 11 September 2013 - 08:05 AM
as you say it goes against everything, but these photos are worth soo much to us
can you please explain what registry files I need to put back
it is worth the $300 if that's what it takes, and a steep learning curve!
Posted 11 September 2013 - 08:18 AM
Craig, the malware creates a key under HKCU/Software/ called "CryptoLocker". That key contains a Public Key and VersionID value plus a sub key called Files that contains paths to all the actual files it touched with "/" converted to "?".
If the key doesn't exist I would recommend checking to see if ESET did a backup of the registry before cleaning. Otherwise you can check if there is a system restore point after the infection or before the restore. HKCU is contained in the NTUSER.DAT file of the profile, so last ditch effort would be log on as a different user to unlock that file, copy it, and open it with something like YARU that can look for deleted keys.
Good luck sir! Learning experience indeed. We are really hoping this type of attack does not become any more prevalent. As often as we have to remove FBI Hijack or Zero Access we know for a fact we can't stop people from clicking on things.
Posted 11 September 2013 - 08:22 AM
We could remove all mouse buttons..... This could possibly stop people from clicking on ANYTHING!
Posted 11 September 2013 - 08:27 AM
Posted 11 September 2013 - 08:35 AM
the cryptolocker key is still there
if I uninstall my antivirus, and re-click the virus should I just get the pop up again? pay the ransom and files will decrypt?
Posted 11 September 2013 - 08:40 AM
Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage. Had my client restore files from backup and the suspect machine has been cleaned. I agree this is a nasty thing and EUs will always end up clicking on attachments no matter how many times they've been told to not open suspicious items. Trend does detect the source file now, too late for this particular client though. Thanks for the guidance folks.
Posted 11 September 2013 - 08:40 AM
Hah...
Unfortunately, this is the new reality. These types of attacks are going to become more and more prevalent.
And there will be an immense outcry from the end users. The occasional ~$100 (USD) service call to remove an annoyance seemed to be acceptable to businesses, and most end users (home). However, I have seen TREMENDOUS push-back from my client base on this, asking how can we prevent it, and why I had not protected them from this. They didnt seem to accept that this (at this time) is unstoppable if they click on something they shouldnt have, and heck, the clients that had a good backup wound up paying MORE than the $300 to have me do a restore and clean-up.
MS or SOMEBODY somewhere will heed this and make a change in the OS or userspace that will block this hopefully, as I find this part of my business extremely distasteful. I make enough money doing legit sys admin work. If this becomes more prevalent I will have to add staff just to deal with this, and the rest of us can actually get legit work done. The malware folks have really poisoned the well with this for themselves.
Man I hate this crap.
Posted 11 September 2013 - 08:43 AM
Posted 11 September 2013 - 08:49 AM
Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage. Had my client restore files from backup and the suspect machine has been cleaned. I agree this is a nasty thing and EUs will always end up clicking on attachments no matter how many times they've been told to not open suspicious items. Trend does detect the source file now, too late for this particular client though. Thanks for the guidance folks.
I created the topic, but am doing the same thing. Final TL;DR of this thread
Steps to fix:
1. Remove the infection*
2. Restore your files from backup
3. Train your users not to open unsafe email attachements
* - this video is decent
Edited by admiralnorman, 11 September 2013 - 08:50 AM.
Posted 11 September 2013 - 09:08 AM
Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage.
I am really sorry to be the bearer of bad news, but you get all guidance you need in this topic, the most important one should be BACKUP. This isn't the first ransomware that encrypts files in such a way that they are unrecoverable without the encryption key and especially in the corporate world, where data equals money people shouldn't take preventive measures lightly and invest in a good backup solution they can fall back on.
No matter where you go, decrypting the files is impossible. If you're lucky you can restore them from the volume shadow copies but more than that isn't possible at this point. this is not because people don't investigate this, but because of the way files are encrypted. I understand this is not what you want to hear, but it is what it is.
"Now faith is the substance of things hoped for, the evidence of things not seen."
Follow BleepingComputer on: Facebook | Twitter
Malware analyst @ Emsisoft | Follow me on Twitter
Posted 11 September 2013 - 09:25 AM
In our case, the end user tried to "fix" a piece of software we normally use that had stopped working (cute pdf writer), unknown to me at the time. This was approx end of August. They had selected a download link that resulted in additional crap-ware with it. I cleaned what I believed was all of it once I was made aware. That user was out the first week of Sept. the machine sat idle with no-one using it. Sometime on Saturday 9.7 early (like 2am) it executed, as if on some sort of timer. I had blocked all attachments that were exe or zip in nature at our mail server some time ago, so I'm certain it didn't come thru email. By Monday the 9th that machine and the mapped shares it pointed to were encrypted, including the daily back up for Sunday. Fortunately we maintain daily, weekly, and monthly back ups for disaster recovery.
I am curious though. Our infection began at a XP workstation. If it had been a win7, I'm wondering if UAC would have stopped it? Anybody seen this on a win7 machine that had UAC on?
Posted 11 September 2013 - 09:28 AM
Yes, all of my infections were on win764
Posted 11 September 2013 - 10:07 AM
In our case, the end user tried to "fix" a piece of software we normally use that had stopped working (cute pdf writer), unknown to me at the time. This was approx end of August. They had selected a download link that resulted in additional crap-ware with it. I cleaned what I believed was all of it once I was made aware. That user was out the first week of Sept. the machine sat idle with no-one using it.
I am curious though. Our infection began at a XP workstation. If it had been a win7, I'm wondering if UAC would have stopped it? Anybody seen this on a win7 machine that had UAC on?
Posted 11 September 2013 - 10:12 AM
Hi Grinler, I cannot get a copy of the malware from the previous link above, my isp is not agreeable with the site, is there anywhere else I can get a copy from?
I apologise if I am upsetting other users with my posts, but I am desperate to try and recoup my files, and so will try anything, even re-infecting
Drastic and desperate
Posted 11 September 2013 - 10:20 AM
@Craig, just sent you a message.
Edited by kenoindallas, 11 September 2013 - 10:20 AM.
0 members, 1 guests, 0 anonymous users