Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

question on cryptolocker and backup drives


  • Please log in to reply
10 replies to this topic

#1 ToddAndMargo

ToddAndMargo

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 26 October 2013 - 07:04 PM

Hi All,

 

I have been reading Bleeping Computers excellent guide on Cryptolocker.   On the section a concerning network drivers it states

     http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shares

     "CryptoLocker only encrypts data stored on network shares if the shared folders are mapped as a

     drive letter on the infected computer"

 

Question: if this buzzard infects network drives with a drive letter, would it not also infect backup drives mounted with a drive letter?  If so, any way to protect your backup drive other than constantly unplugging it?

 

Many thanks,

-T



BC AdBot (Login to Remove)

 


#2 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 30 October 2013 - 10:12 PM

To answer my own question: it goes after anything with a drive letter.  So, yes, if your backup drive is mounted with a letter, you are toast.



#3 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 30 October 2013 - 11:24 PM

Just thought id mention something...it does not ONLY affect shares...it effects your documents as well. I have compiled a small little script that can kill cryptolocker (only temporarily), and everything you do WONT get encrypted...but as soon as crypto STARTS...ALL your doc's are encrypted again...i did this just as a "test"...

To answer your question? YES.....EVERYTHING thats connected via pc will get infected ( the files that was specified...ie .doc...docx...xls...xlsx...etc )...ESPECIALLY backups thats DIRECTLY connected to your pc....as it detects it as an additional drive.

 

PS: what i CAN do is send you the script...it will kill Crypto...and you can use your external drive...but ONLY while crypto (cryptolocker) is not running. Its a dangerous "move" you shall take...but it will work...as long as your backups are GENIUNE...killing crypto wont affect it...but as mentioned...IF crypto starts...youre doomed!

 

Moral of the story? Only use your external when crypto is NOT running...otherwise, unplug it as crypto will start when the pc/laptop starts...then youll need my script again


Edited by RobinHoodSnr, 30 October 2013 - 11:30 PM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#4 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 30 October 2013 - 11:35 PM

I would wait until Crypto Locker is GONE.

 

Does you script identify if Crypto Locker is still running?  Would be a great tool to see how well you did.



#5 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 30 October 2013 - 11:48 PM

I would wait until Crypto Locker is GONE.

 

Does you script identify if Crypto Locker is still running?  Would be a great tool to see how well you did.

what it does (while cryptolocker is still showing "live" on your desktop), it will open up a dialog-box that will automaticly open in your %appdatadir%...you just need to find the cryptolocker "exe" ( as each .exe has a different name)...double click on it, and the script will try and kill the processes asociated with it (usualy there are 2 identical prosesses). When finished, just double check in your "process dialog box" and make sure its gone. Also, your cryptolocker pop-up screen will disapear when its "temporaly" killed...Matter of caution...you use it at your own risk...but it DID work for me...just be carefull (you can even create a .docx file and save it to your DOCUMENTS folder...open it...and see if you can still read the Contents). If you CAN read the contents after re-opening the docx file, you know its killed...

 

Just disable your antivirus when running this...as it might detect this proggie as a virus seeing i have compiled it via AutoIt...

 

PS: BARE IN MIND IT WILL COME BACK AFTER A COMPUTER-RESTART!

       tHIS ALSO DOESNT delete THE FILE ITSELF...only THE PROCESSES! The reason for this is, that "some" folks wants to pay the RANSOM...if i DELETE the file...chances are they wont be able to pay the ransom without the original still on your pc...

 

Another thing (sorry for me just adding on here) is, if you CANT find the file...DISABLe your "hidden" attributes via FOLDER OPTIONS--VIEW--then UNHIDE (remove tick) from "Hide Protected System Files"...and tick SHOW HIDDEN FILES AND FOLDERS

 

just beware...this is a dangerous "move" youre attempting...and NEVER leave your backups "connected"...while Cryptolocker is still running!!!

 

DONT ATTATCH ANYTHING TO YOUR PC...UNLESS YOURE SURE THE PROCESSES ARE GONE!

 

Cryptlocker Process Killer ---> http://mariuscomputers.co.za/killCrypt.exe


Edited by RobinHoodSnr, 31 October 2013 - 02:13 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#6 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 31 October 2013 - 12:56 AM

PS: i would appreciate some feedback on this. If it helps you ( temporarily), other folks might also benefit from it...(FOR THE TIME BEING...lol)


Edited by RobinHoodSnr, 31 October 2013 - 01:27 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#7 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 31 October 2013 - 01:14 AM

I will download your script.  I can't promise anything.  My goal is to make sure this never happens to any of my customers.  But...

 

Where do I download it from?

 

edit: found your link. 


Edited by ToddAndMargo, 31 October 2013 - 01:20 AM.


#8 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 31 October 2013 - 01:20 AM

I will download your script.  I can't promise anything.  My goal is to make sure this never happens to any of my customers.  But...

 

Where do I download it from?

 

edit: found your link. 

just click on the link in my topmost post...

You will notice a couple of black background dialoboxes running...dont stress...this is part of the disabling process :)

...or download on the below mentioned link...

http://mariuscomputers.co.za/killCrypt.exe


Edited by RobinHoodSnr, 31 October 2013 - 01:29 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#9 ToddAndMargo

ToddAndMargo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 31 October 2013 - 01:23 AM

You got tagged by two antivirus scanners over on virus total:

https://www.virustotal.com/en/file/4d4b71daff834b6711e26cc2d09da50a931d4d8e4c2ae02fef3d3eb6bce0a6a3/analysis/



#10 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 31 October 2013 - 01:31 AM

its a FALSE POSITIVE....it detects the program as i have compiled it with....AUTOIT!

 

I would appreciate it if someone can just "rectify" those guys...its a very easy source-code....i basicly used "taskkill" to do the opperation...

 

THIS....is what makes me MAJORLY upset....they "think" its a virus....they must analize the damn thing first...so they can KNOW its not a virus  :halloween:

 

I protected it with CAMO....i now have REMOVED my protection....please try again

 

(For what its worth...If you look at WHERE my tool comes from, youll notice its a LEGIT company....

http://mariuscomputers.co.za (my own )


Edited by RobinHoodSnr, 31 October 2013 - 06:23 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)


#11 RobinHoodSnr

RobinHoodSnr

  • Members
  • 158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Africa
  • Local time:09:44 AM

Posted 04 November 2013 - 12:28 AM

For Administrators that have to maintain 100's of pc's, i would suggest create/download your OWN e-mail server...put this on ONE pc only...and guide ALL your other computers's email to THIS ( YOUR email server). Let them then download their emails only from ONE source...YOUR email server. THIS way, you only need to secure and monitor ONE pc's email...YOUR server.

(just a suggestion for large companies)

 

...a lot of work (in the beginning), yes...but less "stress" :)


Edited by RobinHoodSnr, 04 November 2013 - 12:39 AM.

...We all know something...but we will NEVER know everything :grinner:

 

Cryptlocker "Process" remover...will NOT delete Cryptolocker, only the processes...( a "safety precaution" I took for those who still want to "try" paying the ransom to get their files back. DON'T FORGET TO MONITOR YOUR TIME LEFT BEFORE PAYMENT! )

 

("KillCrypt" will automaticly open %appdatadir%...just guide this to Cryptolocker-Virus and double-click on it. Remember...if you "restart" your system, the processes will be back...use this only for emergencies if you want to create a quick document. While this processes is killed, your docs wont get infected, but WILL be encrypted (unusable) when you restart the PC/Laptop OR clicking on the Virus again!!!)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users