Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3457 replies to this topic

#106 Craig Herbert

Craig Herbert

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 11 September 2013 - 08:05 AM

as you say it goes against everything, but these photos are worth soo much to us

 

can you please explain what registry files I need to put back

 

it is worth the $300 if that's what it takes, and a steep learning curve!



BC AdBot (Login to Remove)

 


#107 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 08:18 AM

Craig, the malware creates a key under HKCU/Software/ called "CryptoLocker".  That key contains a Public Key and VersionID value plus a sub key called Files that contains paths to all the actual files it touched with "/" converted to "?".

 

If the key doesn't exist I would recommend checking to see if ESET did a backup of the registry before cleaning.  Otherwise you can check if there is a system restore point after the infection or before the restore.  HKCU is contained in the NTUSER.DAT file of the profile, so last ditch effort would be log on as a different user to unlock that file, copy it, and open it with something like YARU that can look for deleted keys.

 

Good luck sir!  Learning experience indeed.  We are really hoping this type of attack does not become any more prevalent.  As often as we have to remove FBI Hijack or Zero Access we know for a fact we can't stop people from clicking on things.



#108 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 11 September 2013 - 08:22 AM

We could remove all mouse buttons..... This could possibly stop people from clicking on ANYTHING!



#109 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:52 AM

Posted 11 September 2013 - 08:27 AM

Hah...

Unfortunately, this is the new reality. These types of attacks are going to become more and more prevalent.

#110 Craig Herbert

Craig Herbert

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 11 September 2013 - 08:35 AM

the cryptolocker key is still there

 

if I uninstall my antivirus, and re-click the virus should I just get the pop up again? pay the ransom and files will decrypt?



#111 All8up

All8up

  •  Avatar image
  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 11 September 2013 - 08:40 AM

Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage. Had my client restore files from backup and the suspect machine has been cleaned. I agree this is a nasty thing and EUs will always end up clicking on attachments no matter how many times they've been told to not open suspicious items. Trend does detect the source file now, too late for this particular client though. Thanks for the guidance folks.



#112 Chuck Sp

Chuck Sp

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 08:40 AM

Hah...

Unfortunately, this is the new reality. These types of attacks are going to become more and more prevalent.

 

And there will be an immense outcry from the end users.  The occasional ~$100 (USD) service call to remove an annoyance seemed to be acceptable to businesses, and most end users (home).  However, I have seen TREMENDOUS push-back from my client base on this, asking how can we prevent it, and why I had not protected them from this.  They didnt seem to accept that this (at this time) is unstoppable if they click on something they shouldnt have, and heck, the clients that had a good backup wound up paying MORE than the $300 to have me do a restore and clean-up.

 

MS or SOMEBODY somewhere will heed this and make a change in the OS or userspace that will block this hopefully, as I find this part of my business extremely distasteful.  I make enough money doing legit sys admin work.  If this becomes more prevalent I will have to add staff just to deal with this, and the rest of us can actually get legit work done.  The malware folks have really poisoned the well with this for themselves.

 

Man I hate this crap.



#113 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 08:43 AM

Craig, yes that is what we did. For our case at least that method worked.

I should have bought bitcoins when they were cheap. The author acceps that too. :-/

#114 admiralnorman

admiralnorman
  • Topic Starter

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 11 September 2013 - 08:49 AM

Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage. Had my client restore files from backup and the suspect machine has been cleaned. I agree this is a nasty thing and EUs will always end up clicking on attachments no matter how many times they've been told to not open suspicious items. Trend does detect the source file now, too late for this particular client though. Thanks for the guidance folks.

 

I created the topic, but am doing the same thing. Final TL;DR of this thread

 

Steps to fix:

1. Remove the infection*

2. Restore your files from backup

3. Train your users not to open unsafe email attachements

 

* - this video is decent 


Edited by admiralnorman, 11 September 2013 - 08:50 AM.


#115 Elise

Elise

    Bleepin' Blonde


  •  Avatar image
  • Malware Study Hall Admin
  • 65,974 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:52 AM

Posted 11 September 2013 - 09:08 AM

 

Time to unfollow this post... Was hoping to get guidance on removal/recovering files but getting hammered with garbage.

 

 

I am really sorry to be the bearer of bad news, but you get all guidance you need in this topic, the most important one should be BACKUP. This isn't the first ransomware that encrypts files in such a way that they are unrecoverable without the encryption key and especially in the corporate world, where data equals money people shouldn't take preventive measures lightly and invest in a good backup solution they can fall back on.

 

No matter where you go, decrypting the files is impossible. If you're lucky you can restore them from the volume shadow copies but more than that isn't possible at this point. this is not because people don't investigate this, but because of the way files are encrypted. I understand this is not what you want to hear, but it is what it is.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter 


Malware analyst @ Emsisoft | Follow me on Twitter


animinionsmalltext.gif


#116 rsiadmin

rsiadmin

  •  Avatar image
  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 09:25 AM

In our case, the end user tried to "fix" a piece of software we normally use that had stopped working (cute pdf writer), unknown to me at the time. This was approx end of August. They had selected a download link that resulted in additional crap-ware with it. I cleaned what I believed was all of it once I was made aware. That user was out the first week of Sept. the machine sat idle with no-one using it. Sometime on Saturday 9.7 early (like 2am) it executed, as if on some sort of timer. I had blocked all attachments that were exe or zip in nature at our mail server some time ago, so I'm certain it didn't come thru email. By Monday the 9th that machine and the mapped shares it pointed to were encrypted, including the daily back up for Sunday. Fortunately we maintain daily, weekly, and monthly back ups for disaster recovery.  

I am curious though. Our infection began at a XP workstation. If it had been a win7, I'm wondering if UAC would have stopped it? Anybody seen this on a win7 machine that had UAC on?



#117 Chuck Sp

Chuck Sp

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 09:28 AM

Yes, all of my infections were on win764



#118 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:52 AM

Posted 11 September 2013 - 10:07 AM

In our case, the end user tried to "fix" a piece of software we normally use that had stopped working (cute pdf writer), unknown to me at the time. This was approx end of August. They had selected a download link that resulted in additional crap-ware with it. I cleaned what I believed was all of it once I was made aware. That user was out the first week of Sept. the machine sat idle with no-one using it.


I seriously doubt the vector was from a download that had crap-ware in it. This is a fairly new infection and not something that would sit dormant. Takes only a few minutes for it to kick in after being run when I tested it (multiple times).

I am curious though. Our infection began at a XP workstation. If it had been a win7, I'm wondering if UAC would have stopped it? Anybody seen this on a win7 machine that had UAC on?


From what I understand, as long as the user had read/write access to the files it could encrypt it without admin privs.

#119 Craig Herbert

Craig Herbert

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 11 September 2013 - 10:12 AM

Hi Grinler, I cannot get a copy of the malware from the previous link above, my isp is not agreeable with the site, is there anywhere else I can get a copy from?

 

I apologise if I am upsetting other users with my posts, but I am desperate to try and recoup my files, and so will try anything, even re-infecting

 

Drastic and desperate



#120 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 11 September 2013 - 10:20 AM

@Craig, just sent you a message.


Edited by kenoindallas, 11 September 2013 - 10:20 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users