Original Cryptolocker Ransomware Support and Help Topic

A user just got hit with this Cryptolocker program so I disconnected it from the network. It affected a few shared folders, but was able to restore them from backup. So now the PC is on a count down. My boss is insisting to pay the $300, but i am hesitant to connect the machine back to the network. (since i already restored the affected files) Maybe ill connect it to my verizon hotspot and see what happens.

A user just got hit with this Cryptolocker program so I disconnected it from the network. It affected a few shared folders, but was able to restore them from backup. So now the PC is on a count down. My boss is insisting to pay the $300, but i am hesitant to connect the machine back to the network. (since i already restored the affected files) Maybe ill connect it to my verizon hotspot and see what happens.

 

 

If you have the files recovered, there is absolutely no good reason to pay the ransom. No sane technician would trust the system, cleaning that particular virus is extremely easy. In theory when the timer runs out, the virus removes itself, leaving only the damage of the files being encrypted (I still wouldn't trust it without numerous thorough scans first, It is believed at least one of the vectors of this virus is to travel from a botnet.

 

From what we know of the virus, the damage is done, paying the ransom only helps fund this creeps next attack.

 

I can confirm that a 2nd wave hit 9/16 around 1pm central standard time.  A small town of 300 people caught this in their small windows workgroup of 2 machines.  Luckily Windows had an update that created a restore point at 8am Tuesday that I was able to recover flawlessly from.

A user just got hit with this Cryptolocker program so I disconnected it from the network. It affected a few shared folders, but was able to restore them from backup. So now the PC is on a count down. My boss is insisting to pay the $300, but i am hesitant to connect the machine back to the network. (since i already restored the affected files) Maybe ill connect it to my verizon hotspot and see what happens.

 
 
If you have the files recovered, there is absolutely no good reason to pay the ransom. No sane technician would trust the system, cleaning that particular virus is extremely easy. In theory when the timer runs out, the virus removes itself, leaving only the damage of the files being encrypted (I still wouldn't trust it without numerous thorough scans first, It is believed at least one of the vectors of this virus is to travel from a botnet.
 
From what we know of the virus, the damage is done, paying the ransom only helps fund this creeps next attack.

I agree.. No sane technician would trust the system.. hell, most thought I was insane to pay the ransom, but even I didn't trust the PC after it was done encrypting.. take the time to format the pc and while you are installing the endless amounts of windows updates take a good look at your backups..

Im happy to say that we are now 100 percent back up and running. We have good local backups of our data as well as CrashPlan in place for remote backups.

My variant was the $100 kind, and although it took everything in me to conced in paying the ransom (I think I was the first to post that I did when the outcome of decrypting was unknown) it was the best choice for the situation we were in.

I have removed cryptolocker with malwarebytes, however all Office and PDF files on three PCs in the office, plus server show up as encrypted.  The encryption tool on post 90 was unsuccessful in getting me back to square one.

 

Any thoughts or other tools out there for this?

I have removed cryptolocker with malwarebytes, however all Office and PDF files on three PCs in the office, plus server show up as encrypted.  The encryption tool on post 90 was unsuccessful in getting me back to square one.
 
Any thoughts or other tools out there for this?

I know its long, but I recommend you read every page of this post.. there is NO way to get your files back currently, especially if you deleted the infection already. The only way is to pay the ransom.

 

I have removed cryptolocker with malwarebytes, however all Office and PDF files on three PCs in the office, plus server show up as encrypted.  The encryption tool on post 90 was unsuccessful in getting me back to square one.
 
Any thoughts or other tools out there for this?

I know its long, but I recommend you read every page of this post.. there is NO way to get your files back currently, especially if you deleted the infection already. The only way is to pay the ransom.

 

 

Actually there was a post here by secc123 that referred to http://www.technibble.com/forums/showthread.php?t=49944&page=3

 

which does have a reasonable shot.

 

The system the encrypted files are on needs to be vista or 7, with system restore on.

 

It isn't a 100% chance, but it has better chances than anything else thought of.

Yes, some users have reported success recovering data using Shadow Explorer.

• ShadowExplorer - Recover Lost Files and Folders
• Recovering Files with Shadow Explorer

 

 

A user just got hit with this Cryptolocker program so I disconnected it from the network. It affected a few shared folders, but was able to restore them from backup. So now the PC is on a count down. My boss is insisting to pay the $300, but i am hesitant to connect the machine back to the network. (since i already restored the affected files) Maybe ill connect it to my verizon hotspot and see what happens.

 
 
If you have the files recovered, there is absolutely no good reason to pay the ransom. No sane technician would trust the system, cleaning that particular virus is extremely easy. In theory when the timer runs out, the virus removes itself, leaving only the damage of the files being encrypted (I still wouldn't trust it without numerous thorough scans first, It is believed at least one of the vectors of this virus is to travel from a botnet.
 
From what we know of the virus, the damage is done, paying the ransom only helps fund this creeps next attack.

I agree.. No sane technician would trust the system.. hell, most thought I was insane to pay the ransom, but even I didn't trust the PC after it was done encrypting.. take the time to format the pc and while you are installing the endless amounts of windows updates take a good look at your backups..

Im happy to say that we are now 100 percent back up and running. We have good local backups of our data as well as CrashPlan in place for remote backups.

My variant was the $100 kind, and although it took everything in me to conced in paying the ransom (I think I was the first to post that I did when the outcome of decrypting was unknown) it was the best choice for the situation we were in.

 

Yes, that is a severe last resort. If you have your data, count yourself lucky and move along. If you reinfect, you invite more damage and exposure.

Yes, some users have reported success recovering data using Shadow Explorer.

• ShadowExplorer - Recover Lost Files and Folders
• Recovering Files with Shadow Explorer

 

My post above about the 2nd wave was performed using this method, again luckily on two fronts, a system restore for MS updates, two non-server desktops.

We submitted payment a few hours ago.  A few minutes ago it processed and files began decryption.

I haven't seen if someone has tried PhotoRec. I can't test it as I don't have a computer to infect, but it is worth the try.

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

Click here for instructions. Recovering should be done on a partition, other than the partition where the files were such as, an external or an additional internal drive.

 

 

I haven't seen if someone has tried PhotoRec. I can't test it as I don't have a computer to infect, but it is worth the try.

PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

Click here for instructions. Recovering should be done on a partition, other than the partition where the files were such as, an external or an additional internal drive.

 

 

This sounds like it's worth a shot.

I would like more information, though, before I go download something onto my computer if you don't mind.

My main question is about the recovery being done on a separate partition. I don't speak computer that well and I'm not 100% sure what you mean. I recently bought a Seagate Backup Plus. Would that work? How do I know if I have an additional internal drive?

Is the recovery method similar to ShadowExplorer where you download the program, it gives you a past time where your files were recorded, and then recovers those previous versions?

Sorry if this is all explained in the instructions link you posted (again, thanks for that) but my computer is running really slow right now and I really can't afford to open another tab.

 

Also on that ShadowExplorer train of thought, the only times it gives me to choose from are from post-virus and those times are identical to the ones I have on my system restore. Assuming they are connected, if I can get some older restore points, those times would be given to me on ShadowExplorer.

Now, when this Cryptolocker first hit my computer and I noticed my files were encrypted I did a system restore and I think I remember the time stamp being pre-virus. Is there a way to undo a system restore. Note this was system RESTORE and not system RECOVERY. I have Windows 7 Home Premium by the way.

 

Thank you all so much!

PhotoRec wants you to use a separate partition to avoid overwriting recoverable data. A backup drive will work just fine as long as you have enough free space to write to. I have worked with PhotoRec and it works well (haven't tried it with CryptoLocker though), but recovery is a very time-consuming process, not to mention the examination of the recovered data.