Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Locker has made it onto network share drive


  • Please log in to reply
14 replies to this topic

#1 SysAdminBadger

SysAdminBadger

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 September 2013 - 09:38 AM

Please see this topic for more information about CryptoLocker: http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/


I have a customer that has had a PC infected with the Crypto Locker malware and it has encrypted all of the files on the PC as well as onto the network share.  The big issue is that this user was a member of the network admin group and had access to everything.
 
I have been unable to find much is any information on Crypto Locker nor can I find a tool to clean or decrypt the files.
 
Any help with this would be greatly appreciated.
 
Please do not reply to this post unless you have constructive information as to how to resolve the problem.  If you have the same issue, either open your own thread or "watch" this one for a possible resolution.

Edited by Grinler, 11 September 2013 - 12:54 PM.


BC AdBot (Login to Remove)

 


#2 SysAdminBadger

SysAdminBadger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 September 2013 - 10:44 AM

Update:   The infected PC no longer shows the dialog box to pay the ransom.  The timer ran out and now it is gone.  I can find no trace of it, but the files are still inaccessible.

 

I believe that I may be screwed.   The ransomware stated that it used an RSA_2048 encryption.

 

Any ideas.



#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R. I. T.S. (and proud of it)


  • Global Moderator
  • 9,388 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:My own little world. They know me here.
  • Local time:04:44 AM

Posted 07 September 2013 - 11:21 AM

 

 

Please do not reply to this post unless you have constructive information as to how to resolve the problem.  If you have the same issue, either open your own thread or "watch" this one for a possible resolution.

 

Constructive information is subjective. What may be constructive to one person may not be to another. All we can do is present the information. It is up to you to try it or reject it.

 

You will have to be the one to determine if it is indeed constructive.

 

Yes, others with the same issue should start a new topic. However, we do have members who are new and not familiar with the way a forum works. It's a fact of forum life that others will make a "me to" post in an existing topic.



#4 SysAdminBadger

SysAdminBadger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 07 September 2013 - 11:26 AM

I mean no disrespect in my post. I was  just following the advice of a posted member in that too many posts make help harder to get because it makes things appear as though I am being helped when the posts are just "yeah I have this issue too".   In the original topic, I was not seeing any true advice, so I started this one on that premise.  I need assistance badly and was just trying to help my efforts.



#5 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:05:44 AM

Posted 07 September 2013 - 11:28 AM

Read http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/

 

Post #90 has a decryption tool that was written by Fabian Wosar, but I strongly suggest you read the whole thread first to inform yourself of the state of these encryption viruses and what can be done.


**** We use our powers for good, not evil ****
When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo


#6 Queen-Evie

Queen-Evie

    Official Bleepin' G.R. I. T.S. (and proud of it)


  • Global Moderator
  • 9,388 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:My own little world. They know me here.
  • Local time:04:44 AM

Posted 07 September 2013 - 11:42 AM

I mean no disrespect in my post. I was  just following the advice of a posted member in that too many posts make help harder to get because it makes things appear as though I am being helped when the posts are just "yeah I have this issue too".   In the original topic, I was not seeing any true advice, so I started this one on that premise.  I need assistance badly and was just trying to help my efforts.

 

I know you meant no disrespect. It is true that "me to" posts and all the replies to them and the original post can get confusing. Sometimes a gentle reminder is needed to let people know proper procedure.

 

The main point I wanted to make concerns constructive information since we have no way to know what YOU would consider constructive.



#7 ejaffe

ejaffe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2013 - 11:40 AM

I know it sucks, but if you pay this one actually repairs the files. Then you can uninstall the virus.. We tried everything and ultimately went and bough a prepaid visa card and paid, and the darn thing decrypted the files. 



#8 Swerve2014

Swerve2014

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2013 - 12:40 PM

Some users are saying pay the randsom, but then again I'm attempting to figure out if that is the creator of the virus trying to sway people into paying the randsom fee... Like the guy above ejaffe. Did you really pay it, and why? Are you 100% sure it worked? This virus creator is an evil genius, but I need this problem to be fixed...

please advise,



#9 Swerve2014

Swerve2014

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2013 - 12:47 PM

I know it sucks, but if you pay this one actually repairs the files. Then you can uninstall the virus.. We tried everything and ultimately went and bough a prepaid visa card and paid, and the darn thing decrypted the files. 

Please advise to my previous post EJaffe



#10 ejaffe

ejaffe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 09 September 2013 - 02:18 PM

I am dead serious. We paid it and it worked. We do IT for a living www.integritycsg.com we had 1 client who lacked proper backup, we tried everything possible to recover and thinking there was about a 2% chance of paying it and it working we did it as a last resort. I am telling you the client is working this morning, virus free.  I'm totally shocked that it worked but it did. We bought a $100 pre-paid visa card so as to not get burned beyond the $100.  



#11 trinitytx

trinitytx

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 02 October 2013 - 03:02 PM

I have it on one of my clients' network shares.  They have no backup.  They are willing to pay.  Who do we pay?



#12 dintegrity

dintegrity

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 02 October 2013 - 09:27 PM

We have had this happen today on a clients network.  Of course we eliminated the malware/virus on the desktop before realizing that the network share files are now encrypted.  The client would pay (restore from backups not an option - there are none)  Knowing that you had only 1 hour to pay the ransom  - this was dismissed originally.  Now its how do we pay to get files unencrypted.

 

Any suggestion would help.  Funny how there is no answer to this by the big players - Symantec, Microsoft, Trend Micro..etc



#13 dintegrity

dintegrity

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 09 October 2013 - 07:59 PM

If someone new this how this cryptolocker worked and read these forums, they would have told me on my original post above on Oct 2 to go ahead and re-infected the PC, which can be done because you can reverse mbam and combofix, I would have had until Sat morning Oct 5 to pay the ransom and get back 20,000 files.  I don't mean to moan to much but part of the problem with IT and forums like this is nobody actuaalt troubleshoot with creative ideas.  We re-infected the PC on Monday but the Cryptolocker virus came up and stated you have no time left 00:00:00.  It promptly removed itself from the registry entries 30 seconds later.  If only I did this on last Thursday or Friday I could have had the option to pay.  I see on other topics of this Cryptolocker here and everyone is running in circles. Even with all the cryptolocker posts here I would expect moderators of Bleeping Computers to put 2 and 2 together. I wish someone would have told me on Wednesday night or Thursday or Friday what I found out on Monday, see below:

 

If you been recently infected, no good backups - re-introduce the infection (you have 72 hours), get the cryptolocker running and pay if you have no alternatives.



#14 emc74

emc74

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 20 October 2013 - 05:29 AM

What about doing a system restore to reinfect the PC and change the BIOS date and time. Would that then allow the payment to be made do you think?



#15 noknojon

noknojon

    Almost Retired


  • Members
  • 9,860 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria Australia
  • Local time:08:44 PM

Posted 20 October 2013 - 06:03 AM

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/#entry3150230

Hello -

Please note that the above topic is the Main CryptoLocker topic on this forum and is better for all combined ideas to stay there. Some headway has been made, but this contains 99% of the related information for you. There has been about 850 entries in this area, so 3 or 5 in this area will not help the main topic.

 

Am I Infected area is generally kept for the smaller domestic infections.

 

Thank You - :)

 

If I am wrong a Moderator or Admin will correct it -






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users