Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CryptoLocker or Wall Investigation

  • Please log in to reply
3 replies to this topic

#1 Blackduke77


  • Members
  • 1 posts
  • Local time:10:09 AM

Posted 15 January 2016 - 08:36 PM

Hi All,


What a great community, please forgive me if I am posting in the wrong forum, I have been reading lots of threads and find myself quite inspired by the welf of information here.


Anyway my problem, I have a large distributed user base, mainly mobile workers and I have had two instances of files being encrypted by what I assume is ransom-ware, local IT have reinstalled the machines and restored backups but there has been another case reported today. I have asked the for the PC to be delivered to me so I can attempt to find out how the infection occurred and why our AV did not pick up on it.


I don't really need to clean it, I really need to know when and how the machine was infected so I can close that vulnerability or at least advise the user on behavior...


Do you have any advise or tools to help identify the malware and potentially the infection date and vector?


I work in a sensitive environment and am concerned about posting publicly but I would be grateful for any help.


Best Wishes



BC AdBot (Login to Remove)


#2 ScathEnfys


    Bleeping Butterfly

  • Members
  • 1,375 posts
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:06:09 AM

Posted 15 January 2016 - 09:45 PM

If you have a limited list of "approved programs" your employees should be able to run, you could try going full lockdown by using a antiexecutable program to prevent all unauthorized processes from starting on your machines. If each employee uses his/her own set of programs or the list of approved programs is several hundred items long though, you probably want to look for another source.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#3 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,561 posts
  • Gender:Male
  • Location:USA
  • Local time:05:09 AM

Posted 15 January 2016 - 10:27 PM

Any chance you can give us more information on the ransomware that is hitting your users? Any extensions appended, or ransom notes? Knowing the variant can go a long way towards isolating the potential vectors; some variants have certain well-known ways of distribution.

Have you been able to isolate the exact user who was affected in each case? Usually the owner of the encrypted files will lead you to the account, and a modified date may give you a time range to investigate audit logs more thoroughly.

There is always ways around an antivirus; user awareness is the best remedy in conjunction with any other systems in place.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:09 AM

Posted 16 January 2016 - 08:03 AM

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .XRNT, .XTBL, .crypt, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .lechiffre, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .CTBL, .CTB2, or 6-7 length extension consisting of random characters?

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, _secret_code.txt 
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html, YOUR_FILES.url
Howto_RESTORE_FILES_.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_.txt, restore_files_.txt
howto_recover_file_.txt, how_recover+[random].txt, _how_recover_.txt, recover_file_[random].txt

Note: The [random] represents random characters which some ransom notes names may include.
Did you or your anti-virus find any malware? These are common locations malicious executables related to ransomware infections may be found:

Once we have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users