Question about CryptoLocker

//raises hand

A few of them so far, 1 of them a business, the rest residential.

The business did not have a UTM appliance at the edge, and they didn't have a mail filtering service....we'd been pitching it to them for a few years now but it's a non profit adult education agency that is rapidly sinking.

Up until that business last week that got hit, the others had Windows 7 computers and the earlier version of CL that did not kill the shadow copies...so we got their data back quickly 'n easily.

But now with newer variants that blow up the previous versions...I don't what we're going to do for those that don't have backups. (when I say blow up previous versions...I'm talking about the newer versions that will either delete all existing shadow copies, or will encrypt them...rendering them useless to use for restoration of data).

Haven't followed how the crooks are accepting money...nor how reliable their restore is if you pay the ransom. Any feedback on this folks?
 
Last edited:
I haven't come across it but I think it will depend on your options and your client's needs. Have you got a backup? will shadow explorer do? how critical is the data to the client?

$300 isn't a lot of money for your data back, business or home. No one wants to pay these crooks but there are not many options if you get the virus.
 
YeOldeStonecat said:
Haven't followed how the crooks are accepting money...nor how reliable their restore is if you pay the ransom. Any feedback on this folks?
Click to expand...
That's what I wanna know. Can you accept cash anonymously? Don't you have to have a bank account? Every time I've set up a bank account they've wanted me to show up in person with a driver's license I think. But maybe in other countries it's easier to set up a bank account.

Also if someone gets this virus and proceeds to remove the virus, can they still get their data back through the bad guys? My understanding is that removing the virus is the easy part, but then your files are still encrypted. With the virus removed how does one identify what key they need? Aren't the encryption keys unique to each infection?
 
RegEdit said:
That's what I wanna know. Can you accept cash anonymously? Don't you have to have a bank account? Every time I've set up a bank account they've wanted me to show up in person with a driver's license I think. But maybe in other countries it's easier to set up a bank account.

Also if someone gets this virus and proceeds to remove the virus, can they still get their data back through the bad guys? My understanding is that removing the virus is the easy part, but then your files are still encrypted. With the virus removed how does one identify what key they need? Aren't the encryption keys unique to each infection?
Click to expand...

Here is a bit more information on it.

http://www.technibble.com/forums/showthread.php?t=52297

Short answer, if you delete the application you can get your data back, but it will cost you over 2K.
 
YeOldeStonecat said:
//raises hand

A few of them so far, 1 of them a business, the rest residential.

The business did not have a UTM appliance at the edge, and they didn't have a mail filtering service....we'd been pitching it to them for a few years now but it's a non profit adult education agency that is rapidly sinking.

Up until that business last week that got hit, the others had Windows 7 computers and the earlier version of CL that did not kill the shadow copies...so we got their data back quickly 'n easily.

But now with newer variants that blow up the previous versions...I don't what we're going to do for those that don't have backups. (when I say blow up previous versions...I'm talking about the newer versions that will either delete all existing shadow copies, or will encrypt them...rendering them useless to use for restoration of data).

Haven't followed how the crooks are accepting money...nor how reliable their restore is if you pay the ransom. Any feedback on this folks?
Click to expand...



Just to clarify; there are NEW versions of the CryptoLocker that are also encrypting/destroying shadow copies?? Eeeeek.....:eek::eek::eek:

Well, that's why we monitor our biz clients backups daily....
 
RegEdit said:
How many of you have encountered customers with this CryptoLocker virus?
And if they have critical data do you tell them to just pay the $300?
Click to expand...


Yes, I had a business get hit with it. Their receptionist opened up an email attachment is how it got in.

Fortunately clean-up was very simple; I read the huge thread over at Bleeping computer that gave some great advice. Neither rkill, MBAM, nor my Windows Defender bootable CD found anything, so I had to manually delete the files & registry keys.

First I ran the Windows Defender CD on the infected host. Then did a test restore using shadow copies. After that proved successful, I restored all their encrypted files via shadow copies, scanned each other office PC just for the heck of it, as well as the server.

Manually cleaned the infected host.

All set.
 
drjones said:
Just to clarify; there are NEW versions of the CryptoLocker that are also encrypting/destroying shadow copies?? Eeeeek.....:eek::eek::eek:

Well, that's why we monitor our biz clients backups daily....
Click to expand...

Yes....latest variants are doing one, or the other...or some combo of both. In that super long Crypto thread in the Viruses subforum they're talking about that newly added feature.

So our saving grace of restoring previous versions for those lucky enough to have it but didn't do backups...those "tricks up our sleeve" to make us heros are now gone.
 
Yep. we had a business customer hit. They had Trend WFBS, with email scanning on the Exchange server. Still slipped through and business owner opened an infected email. We thought we were OK as all of the documents on the PC were OK and readable. My docs etc. was redirected to the SBS server and obviously CL couldn't come to terms with this so they didn't get encrypted.
However all data on their shared drives was encrypted. Took at as a live test of their backup..and had everything restored within 30 minutes!
 
Just to clarify; there are NEW versions of the CryptoLocker that are also encrypting/destroying shadow copies?? Eeeeek.....

Well, that's why we monitor our biz clients backups daily....
Click to expand...

Are your backups just sitting on a mapped network drive or another attached drive? What is to prevent current or future revisions of cryptolocker from encrypting you backups too?

This is just food for thought.

I am making sure my nas boxes take zfs snapshots and mapped drives to the backups are not left connected to them. Also, I am thinking if one of my systems gets hit, one of the first indications may be running low on space or large chunks of space getting suddenly chewed up on the nas. So I investigate before just jumping out there and deleting snapshots to free space.
 
EnigmaTech said:
Yep. we had a business customer hit. They had Trend WFBS, with email scanning on the Exchange server. Still slipped through and business owner opened an infected email. We thought we were OK as all of the documents on the PC were OK and readable. My docs etc. was redirected to the SBS server and obviously CL couldn't come to terms with this so they didn't get encrypted.
However all data on their shared drives was encrypted. Took at as a live test of their backup..and had everything restored within 30 minutes!
Click to expand...


Well that makes me feel a tiny bit better that GFI MAV didn't catch it at my clients.....and makes me a hair less nervous about transitioning another new client from Trend WFBS to GFI MAV....

I had the same experience as you; my client that got it also has their docs redirected to the server & those all were unaffected.
 
alluseridsrejected said:
Are your backups just sitting on a mapped network drive or another attached drive? What is to prevent current or future revisions of cryptolocker from encrypting you backups too?

This is just food for thought.

I am making sure my nas boxes take zfs snapshots and mapped drives to the backups are not left connected to them. Also, I am thinking if one of my systems gets hit, one of the first indications may be running low on space or large chunks of space getting suddenly chewed up on the nas. So I investigate before just jumping out there and deleting snapshots to free space.
Click to expand...


How do you manage to ensure your backup devices do not stay connected to your servers?

What backup systems are you using?

I too started to think of a way to keep some sort of off-line backup in light of the news of this new variant....can't think of a way that doesn't involve human interaction but I'm sure I'm missing something...
 
Did someone mention Microsoft in this thread...... I wonder if there will be any kind of 'intervention' from the big boys regarding this online theft..... This is a criminal activity after all which shows no signs of going away.....
 
Do we know for sure the most common way it is getting in?

I know that my client who got zapped, opened a .zip file.

Would it make sense to block all .zip files on the clients exchange or hosted spam filter? Or is this getting through another way?

I think that zip files are uncommon enough that any inconvenience would be worth the security.
 
I had a client hit this Monday. Had to wind up paying the ransom. It got everything on the mapped drives (docs, xls, pdf, jpg, etc), but not the stuff shared via unc. Yesterday, we finally got everything decrypted. I sold them an alto unit and new rackspace email hosting.
 
angry_geek said:
I had a client hit this Monday. Had to wind up paying the ransom. It got everything on the mapped drives (docs, xls, pdf, jpg, etc), but not the stuff shared via unc. Yesterday, we finally got everything decrypted. I sold them an alto unit and new rackspace email hosting.
Click to expand...

I had a client get hit - came in as an email attachment.
Fortunately, it only got two workstations and one shared drive. In the process of migrating them to Rackspace as well. :cool:
 
You must log in or register to reply here.

Similar threads

backwoodsman
[SOLVED] Blank screen after Windows update
Replies
8
Views
882
britechguy
britechguy
phaZed
Microsoft Entra ID flaw allowed hijacking any company's tenant
Replies
1
Views
361
britechguy
britechguy
britechguy
Remote Incident Manager (RIM) by Pneuma Solutions - What kind of market share does it have?
Replies
2
Views
603
Markverhyden
Markverhyden
HCHTech
What hardware to share dual monitors between desktop and laptop
Replies
5
Views
887
GTP
GTP
Velvis
Question about vulnerabilities
Replies
5
Views
873
YeOldeStonecat
YeOldeStonecat
Back
Top