Cryptolocker Hijack program
Posted 06 September 2013 - 08:38 AM
It is being updated as new information becomes available.
I have a user that shows a popup window for Cryptolocker. I know i can stop it and clean it, but it has all of their files encrypted, and will leave all of their files encrypted. Luckily i have good backup, but i'd really like to beat this thing.
BC AdBot (Login to Remove)
Posted 06 September 2013 - 10:04 AM
I have client who had this happen yesterday afternoon. Waiting to the suspect PC to come in for inspection/troubleshooting. The files that got 'encrypted' were on a network share and used by several folks. It doesn't appear the infection hit the other PCs and they are pulling the files from backups. Will be happy to find out more information about this and will share any info I find.
Posted 06 September 2013 - 10:12 AM
Same thing here. A user got the same popup and a bunch of files on her network mapped drives have been altered. Big pain. Restoring files now but some were changed and not others so it's going to take a while to figure this one out.
Am on the phone with Trend now seeking help.
Posted 06 September 2013 - 10:52 AM
This client had Trend Micro WFBS too... Older version because they have a couple Win2000 machines on the domain but definitions were up to date. I have the suspect PC on my bench now and lots of crapware on this thing...
Posted 06 September 2013 - 11:34 AM
Same here, client infected. May try this approach: http://www.bleepingcomputer.com/virus-removal/remove-everything-on-your-computer-has-been-encrypted
Posted 06 September 2013 - 11:54 AM
Let me know if this works... The encrypted files are on a server but the suspect machine has been pulled from the network.
Posted 06 September 2013 - 11:59 AM
Just got off the phone with Trend. I sent them a copy of the "encrypted" files and also the original plus the infected exe file from the client PC so they can attempt to work out the private key.
I downloaded the program from your link and it did not fix the changed files.
Posted 06 September 2013 - 12:44 PM
I won't get a chance to tackle it until tomorrow morning, but if I can fix it, I will certainly post my findings.
Posted 06 September 2013 - 12:59 PM
Our infected workstation is a very clean Windows 7 virtual workstation. We restored all the damaged files from backup and got the client up and running. I have saved a snapshot of the workstation to troubleshoot the actual infection (even though we don't need to). However I don't know where to start.
Posted 06 September 2013 - 01:03 PM
It's a real pain this one. We are restoring from backup now but there are still files which will have changed which we wont get back. Hopefully trend get back to me with a way to decrypt the files.
Posted 06 September 2013 - 02:52 PM
No updates here. Still restoring files from backup. I have a case escalated with Trend so I will post as soon as I hear back.
Posted 06 September 2013 - 02:57 PM
Yes definately best not to pay. For one I would not trust having the infected machine on the network manipulating your files again. Second, you never know what you are funding.... terrorism etc....