Cryptolocker Update, Request for Info
It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong. In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC). It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt. Bleeping Computer has a good write up, but below are the TL;DR highlights.
If you are infected and your files are encrypted (and you have no backups) there is a very limited means to restore files using Microsoft's Shadow Volume Copies (Windows XP SP2 or better). In essence, previous versions of files still persist on a system and can be recovered manually or by using a tool like Shadow Explorer.
Other than that, there is no means currently available for recovery (besides paying). Reinfecting once the timer runs out does not reset the timer and there have been no reports of recovery after an appreciable amount of time has passed after the 72 hours. (Some limited amount of clock games might help at the margins, but the bad guys say they delete and purge keys and there is no evidence this is not true).
There are some GPO settings you can deploy to prevent this kind of infection and for the most part, some of these settings are best practices independently of Cryptolocker. Basically you can prevent execution of executibles in temp directories the details of which are at Bleeping Computer.
There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools. At this point anti-virus has decent detection so keeping that up to date is a significant help.
Apparently the attackers are also paying attention to various forums but there is no direct way to communicate with them.
REQUEST: If you or your organization has paid the ransom to decrypt, we would like to talk to you (anonymously) about the experience. Please write in directly to bambenek /at/ gmail.com
--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting
Comments
The default ruleset for Suricata in my Security Onion caught the traffic and I ran down and shut down the machine before much had been encrypted.
This should concern anyone who has mapped network shared drives with write access.
http://techhelplist.com/index.php/spam-list/352-message-from-corporate-scanner-virus
Anonymous
Oct 22nd 2013
1 decade ago
In tests so far, it works very well and I plan on installing it network wide tomorrow after a final verification that our other apps run properly and are not affected in any way.
Anonymous
Oct 22nd 2013
1 decade ago
Anonymous
Oct 22nd 2013
1 decade ago
('When we visited this site, we found it exhibited one or more risky behaviors.')
Anonymous
Oct 23rd 2013
1 decade ago
Path if using Windows XP: %UserProfile%\Local Settings\Temp\
Path if using Windows Vista/7/8: %LocalAppData%\Temp\
I have updated the guide at BC to include this update.
Anonymous
Oct 23rd 2013
1 decade ago
Anonymous
Oct 24th 2013
1 decade ago
He then backed up those files and did a wipe and reinstall. (His customer was a business and he has a policy that businesses do not get 'virus cleaning', businesses get 'data recovered as much as possible followed by OS rebuild'.
He has seen the real deal before, none of his customers have paid the fees however. I did ask him if he sees it again to save the fake!cryptolocker files rather than deleting them for submission to various security peoples.
Anonymous
Oct 28th 2013
1 decade ago