Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Hijack program


  • Please log in to reply
3165 replies to this topic

#1 admiralnorman

admiralnorman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 08:38 AM

Note: For the latest information on the CryptoLocker, please see this guide/FAQ: CryptoLocker Ransomware Information and FAQ

It is being updated as new information becomes available.

--Grinler


 

I have a user that shows a popup window for Cryptolocker. I know i can stop it and clean it, but it has all of their files encrypted, and will leave all of their files encrypted. Luckily i have good backup, but i'd really like to beat this thing.
 
Screenshot attached.
 
QjqBDRr.jpg

BC AdBot (Login to Remove)

 


#2 All8up

All8up

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 10:04 AM

I have client who had this happen yesterday afternoon. Waiting to the suspect PC to come in for inspection/troubleshooting. The files that got 'encrypted' were on a network share and used by several folks. It doesn't appear the infection hit the other PCs and they are pulling the files from backups. Will be happy to find out more information about this and will share any info I find.



#3 All8up

All8up

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 10:07 AM

It also appears the link in the "Here are the files..." line references "http://viewfiles/ " which means it has the list kept local.



#4 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 10:12 AM

Same thing here. A user got the same popup and a bunch of files on her network mapped drives have been altered. Big pain. Restoring files now but some were changed and not others so it's going to take a while to figure this one out.

 

Am on the phone with Trend now seeking help.



#5 All8up

All8up

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 10:52 AM

This client had Trend Micro WFBS too... Older version because they have a couple Win2000 machines on the domain but definitions were up to date. I have the suspect PC on my bench now and lots of crapware on this thing...



#6 boomer93

boomer93

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 11:34 AM

Same here, client infected. May try this approach: http://www.bleepingcomputer.com/virus-removal/remove-everything-on-your-computer-has-been-encrypted



#7 All8up

All8up

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 11:54 AM

Let me know if this works... The encrypted files are on a server but the suspect machine has been pulled from the network.



#8 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 11:59 AM

Just got off the phone with Trend. I sent them a copy of the "encrypted" files and also the original plus the infected exe file from the client PC so they can attempt to work out the private key.

 

I downloaded the program from your link and it did not fix the changed files.



#9 boomer93

boomer93

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 12:44 PM

I won't get a chance to tackle it until tomorrow morning, but if I can fix it, I will certainly post my findings. 



#10 admiralnorman

admiralnorman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 12:59 PM

Our infected workstation is a very clean Windows 7 virtual workstation. We restored all the damaged files from backup and got the client up and running. I have saved a snapshot of the workstation to troubleshoot the actual infection (even though we don't need to). However I don't know where to start.



#11 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 01:03 PM

It's a real pain this one. We are restoring from backup now but there are still files which will have changed which we wont get back. Hopefully trend get back to me with a way to decrypt the files.



#12 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 02:46 PM

Any updates? Has anyone actually paid the ransom?

#13 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 02:52 PM

No updates here. Still restoring files from backup. I have a case escalated with Trend so I will post as soon as I hear back.



#14 boomer93

boomer93

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 September 2013 - 02:54 PM

I would not recommend paying the ransom.



#15 jonathan020

jonathan020

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 September 2013 - 02:57 PM

Yes definately best not to pay. For one I would not trust having the infected machine on the network manipulating your files again. Second, you never know what you are funding.... terrorism etc....






7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users