Cryptolocker 3.0 on XP

[Romaniac]

Howdy all,

I'll try and keep concise. I know there are threads, they are different.

INFO:
- XP
- Caught virus fairly early - virus has not finished or popped up. Have a few dozen DECRYPT_INFO files, but they're somewhat redundant, fairly localized.
- Quickbooks corrupted (?) / data file possibly encrypted. That's what he cares about.
- Latest backup is May - too old. (he happened to slack at wrong time)
- Tried a system restore to a week or so back, but QB was still giving errors - missing or damaged files. Also unable to retrieve license key.
- The system restore points have quite a bit of data. Has not been turned off or points deleted.

- Client is considering paying (more on this below).


ISSUES:
I don't see ShadowCopyExplorer being compatible with XP - has anyone tried? Alternative?

If I right click on a folder (tried Win made and user made), select 'properties', there is NO 'previous version' tab.
I tried running regsvr32 /s twext.dll in cmd, but nothing changed (I restarted, still no change).
Anyone know a fix?

I am working on clone, not original.


UNKNOWNS:
Decrypt info files claim Crpytolocker 3.0. I have not visited the links posted in decrypt info files. Not sure what the cost is yet.
-------------------------------------------------------------

QUESTIONS:
Anyone have info / news on keys / keys recovery?
What about success with paying? (I don't want to give up yet - I even want to try deleted data recovery, if this is indeed 3.0; but I want to ask, as it is an option). He is indeed willing to pay if it's going to be ~$500 or less. I explained the risks and all. He just want his data.


Can I do anything with restore point data?
I'm thinking if I can get 'previous versions' tab back, it may be worth a shot!


Thanks a ton, guys n gals.

PS: Feel free to ask any questions I may have forgotten to address.

 

[gadgetfixup]

If the data is that valuable to him then I'd recommend paying, the sooner the better. Soon those links will be dead and his data gone. Typically it starts at $300 and increases as time goes on. $300 for a good chance at recovering the data is a good gamble.

That's my 2 cents worth.

 

[FremontPC]

Will QB launch at all? Maybe his company files are ok, it's just QB that's hosed?

Shadow Explorer is only for Vista and higher. XP doesn't have the "Previous Versions" feature. You might be able to find an earlier version of his company files using Easeus Data Recovery (or the like) if that's all he cares about.

 

[Romaniac]

It could be that QuickBooks itself is busted. We're working on that in parallel - but he can't find CD or license and doesn't think he has an online log in where all that stuff can be found; so we're trying to retrieve license another way.

Thing is, he says he tried to open a QB file with QB, and that's when he got some error about file being encrypted....?
That's what got me to predict infection in the first place; but I'm still checking it out, as maybe it was unrelated corruption......slight maybe.

If we wanted to pay, should I let the virus finish encrypting everything (after cloning and verifying it, of course)? Or just go ahead and go to the links and pay?

 

[Romaniac]

At this point, it's looking like a payment.

Should I need to wait until the encryption finishes and there is a pop-up? I have obviously disconnected the PC from the network for a couple days now.

I'm guessing I have to let it re-initiate...? Wait until it's done for safety? Quickness is somewhat important.


Any knowledge would be much appreciated, thanks.

 

[FremontPC]

I'd hold off on that, you could end up double encrypting files, but it depends on the particular variant. NB Cryptolocker was taken down some time ago, you likely have a copycat like Cryptol0cker, which I believe is itself a variant of Torrentlocker.

I guess the best route would be to talk to the authors and let them know what the situation is. They would best know how to proceed and may offer to decrypt a file for free to prove their product works.

 

[3ft]

Check the link in the decrypt file, they typically will decrypt one for free to prove it works. You are pretty much up the creek, more so with XP. I'd pay and get it over with. Expensive lessons to learn, for sure.

 

[Romaniac]

Please clarify a bit...

By re-initiate I meant pick things up where it left off.... since it hadn't finished...? You're thinking it may start over?

 

[Markverhyden]

Kudo's for the image part. So this person, who was prompted every time he closes QB to do a backup, never has. You should tell him it's $1000 to decrypt and keep $500 for yourself. He really deserves what he's getting.

 

[FremontPC]

You're thinking it may start over?

Others have, once again it depends on the variant. Best not to thrash.

 

[FremontPC]

If you know exactly what you have, there's probably a write-up over at Bleeping Computer that tells you if it stores a list of encrypted files (which is later used in the decryption process) and where that list is. Some put it in the registry.

 

[glennd]

Kudo's for the image part. So this person, who was prompted every time he closes QB to do a backup, never has. You should tell him it's $1000 to decrypt and keep $500 for yourself. He really deserves what he's getting.

Funny you should mention that. My QuickBooks used to prompt me every time I shut down and now it doesn't. There's no preference to prompt for backup that I can find, only preference to prompt to verify. I have to remember when it's on the right network with the backup NAS. Maybe this customer is suffering the same 'bug' ?

Edit: I found it. I have to manually select File->Backup, let it fail cos the NAS is not there, *then* the Options button appears. When I click that the Backup Options appears with the option "Remind me to back up when I close my company file every 4 times". The '4' is changeable. It hasn't 'reminded' me in a long time.

 

[FremontPC]

There's no preference to prompt for backup that I can find

As I recall, you have to start a backup from the File menu, then it runs you through some screens where you can set that preference.

 

[glennd]

As I recall, you have to start a backup from the File menu, then it runs you through some screens where you can set that preference.

Yeah, it's not obvious...

 

[Larry Sabo]

Did you make an offline sector-by-sector image of the drive so you can try to recover deleted files using another computer?

 

[Markverhyden]

Funny you should mention that. My QuickBooks used to prompt me every time I shut down and now it doesn't. There's no preference to prompt for backup that I can find, only preference to prompt to verify. I have to remember when it's on the right network with the backup NAS. Maybe this customer is suffering the same 'bug' ?

Edit: I found it. I have to manually select File->Backup, let it fail cos the NAS is not there, *then* the Options button appears. When I click that the Backup Options appears with the option "Remind me to back up when I close my company file every 4 times". The '4' is changeable. It hasn't 'reminded' me in a long time.

I don't use QB. But I cannot remember a situation where I did not see a backup prompt when Quitting on a customer's computer. I also seem to remember that the backup is a default option with a new install and migrating/importing a QB file. Of course, like most other things, my memory does _NOT_ get better with age. LOL!!!

 

[glennd]

Of course, like most other things, my memory does _NOT_ get better with age. LOL!!!

Ain't that the truth

 

[Romaniac]

Did you make an offline sector-by-sector image of the drive so you can try to recover deleted files using another computer?

Doing that overnight - sure is taking a while.

Though I had put it in my mental list, I could have forgotten. Thanks for the reminder.


If they really decrypt any file, maybe I'll try sending the QB data file then.
Though he has a second one, but didn't seem as worried, and I may have found a recovered one that didn't seem encrypted yet.

 

[Romaniac]

DEBRIEF:

Issues has been fixed, but pretty much because luck. I am not marking this as "solved" because I don't want anyone in the future possibly stumbling on this, and get false hopes.
I should have checked for this stuff first, but I did not have access to QB yet, and I was preparing for worst case, getting ready for 'deleted data recovery', etc.

A combination of factors saved this client:

Quickbooks Auto Data Recovery, which had not yet been affected, and had very recent files. I'm not sure if they were made in direct response to the encryption.
The other data file he cared about was also not yet encrypted.

His manual backups were encrypted however, and I wonder if they kept the encryption busy.

Another big factor: After the virus encrypted a Quickbooks data file, and after the client tried to open Quickbooks, he received an error with a 'help link'. The link lead to a page that informed him the file has been infected by Cryptolocker.

Kudos to QB for at least trying to inform people who have been affected.
This info lead the man to just shut down immediately, and keep it off until he got help. If it weren't for the client trying to use QB, and if it weren't for that error message, the computer would likely have been left on (while possibly trying to fix the QB error).


tags: quickbooks cryptolocker , quickbooks and cryptolocker, auto data recovery.

 

[FremontPC]

One of those few cases where the crooks get thwarted. Always love to hear about them.

So, guess this guy is going to change his ways, eh?