A friend's business PC has become infected with the Crypt0l0cker ransomware virus. All of her user-files are now encrypted and as such, end with .encrypted extensions.
I have tried to help but I am not familiar with this virus so had to do some reading up on it. Initially I was optimistic after seeing the website http://www.decryptcryptolocker.com/ but none of the submitted files worked on there in order to get a key, and I soon learnt that there are different, stronger versions of this virus, and that this is one of them. After further reading, it seems that there is absolutely no way (currently) to decrypt the files - is this correct? Also, I gather it would be extremely unlikely that paying the ransom would do anything to resolve the issue? I wouldn't have done this anyway, personally because the chances seem 99% that you wouldn't receive a decrypter and therefore would lose your files and your money.
I noticed that files in "Previous versions" (Windows 7) were fine, and started using Shadow Explorer to copy the snapshotted files from the VSS to an external USB hard drive. Is this the only course of action to take to even get close to getting files back? It's just that they are considering having an IT guy come out (and would therefore have to pay him) but if he's just going to do the same things I am going to do/been doing, then I may as well help them and save them some money. Also, how do I be sure that the virus is gone? Apparently, MalwareBytes detects crypt0l0cker, and after running it on the infected machine, it did detect a file I already thought was very suspicious:
This app is also constantly running in task manager, and if I end it, it instantly starts again. I have YET to use a tool like MalwareBytes to clean the system.
There is also a rogue startup entry, c:\Program Data\ilcilizhp.exe - this .exe file does not actually exist though. I am guessing this may have been the virus itself? (or the above updater.exe)
I suppose my main questions are:
How is it likely this virus got onto their machine? (BullGuard antivirus is always on and up-to-date)
Is the only way I can even potentially restore the files via the Volume Shadow Service and Shadow Explorer? i.e - is there no tool out there to decrypt files encrypted by crypt0l0cker?
How can I be certain the virus is removed from their machine? Which tools are best to use to scan?
Thanks very very much for any information.
Edited by alex_ncfc, 13 June 2015 - 05:29 AM.