Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified Crypt Ransomware / any hope of data decryption?


  • Please log in to reply
4 replies to this topic

#1 scotru

scotru

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 03 October 2013 - 12:55 AM

School network struck by a piece of encrypting malware.  It infected a school administrators computer who had access to a lot of data.  Combination of a poorly planned backup rotation cycle / active mounted backup volumes / and the amount of time it took detect the problem means that we don't have good recent backups.   Any help is very much appreciated.  
 
The infection began middle of last week and, due to a long weekend, wasn't detected until early this week.  That give it quite a bit of time to chew up terabytes of network data.

 

I have 4 files found the users folder named:

 

gubrumumunod

nesidaspycgu

pofbewarpeac

vifturnaskel

 

I can provide the files if useful.  I also have samples of encrypted and unencrypted (before and after) files as well.  

 

Once we realized what was going on, we shut off the file server to protect the remaining data until we isolated the affected computer (which is now off the network).  We've made a copy of the file shares that we're hit and also cloned the drove from the originally infected machine.

 

I have not received any popups or ransomeware requests (maybe because we interrupted it?).  I don't care about the workstation (it's easy to re-image).  It's the encrypted data on the network shares that is the tragedy.  Any advice much appreciated.

 

Can anyone help identify the malware and is there any hope of reversing the encryption?


Edited by scotru, 03 October 2013 - 12:55 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 03 October 2013 - 11:10 PM

Sounds like Cryptolocker:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

Check for the presence of a hkcu\software\cryptolocker key. If it exists, then you got this bugger.

#3 scotru

scotru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 04 October 2013 - 12:41 AM

I've been following the long Cryptolocker thread here:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-33

 

But I do not have any sign of the hkcu\software\cryptolocker key in the account of the infected user on the infected machine (although that account did seize ownership of the encrypted files).  So I wonder if I may have something else?  Discussion seems to indicate that even after the virus removes itself, this key is left behind, is that correct?

 

I just sent the malware I found along with some sample encrypted files to Fabian so maybe he will be able to help identify it.

 

Let me just take a quick moment to say what an amazing site this is--what a tremendous resource you have curated!


Edited by scotru, 04 October 2013 - 12:42 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 04 October 2013 - 10:04 AM

Thanks :)

Can you submit those same files to http://www.bleepingcomputer.com/submit-malware.php?channel=3 as well.

As for the key, I am pretty sure some AV may be removing it as well.

#5 scotru

scotru
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 06 October 2013 - 12:10 AM

Yes, here it is.  I don't think the AV on this machine caught it (it appears to be either malfunctioning or perhaps crippled by malware).  It reports nothing found in quite some time.  So I'm confused about what happened to the key.  I was really hoping it would turn out to be something other than CryptoLocker--but I heard back from Fabian and it sounds like he things it is indeed CL.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users