CryptoLocker - New Ransomware

Google is your friend...

Worked on my first one of these today, Googled first. Removal of the infection is easy... Saving customer data is another story.

Vista Business and Ultimate, and all versions of Win 7 have a feature called "Previous Version"... Found out thanks to Google that other versions of Vista also have it, and it is turned on by default, they just don't provide an interface for it. A freeware program called "Shadow Explorer" provides that interface. Using Shadow Explorer, I was able to grab three day old "Previous Versions" of all the customer's data.

Score one for the "Good Guys."

Rick
 
red12049 said:
Worked on my first one of these today, Googled first. Removal of the infection is easy... Saving customer data is another story.

Vista Business and Ultimate, and all versions of Win 7 have a feature called "Previous Version"... Found out thanks to Google that other versions of Vista also have it, and it is turned on by default, they just don't provide an interface for it. A freeware program called "Shadow Explorer" provides that interface. Using Shadow Explorer, I was able to grab three day old "Previous Versions" of all the customer's data.

Score one for the "Good Guys."

Rick
Click to expand...

Nice tip, rep given :)
 
Great find, thanks for sharing.

I would of loved to of used this on my bus client, who has no backups at all. Unfortunately, they are all running on XP machines. Another :Doh!!:
 
red12049 said:
Worked on my first one of these today, Googled first. Removal of the infection is easy... Saving customer data is another story.

Vista Business and Ultimate, and all versions of Win 7 have a feature called "Previous Version"... Found out thanks to Google that other versions of Vista also have it, and it is turned on by default, they just don't provide an interface for it. A freeware program called "Shadow Explorer" provides that interface. Using Shadow Explorer, I was able to grab three day old "Previous Versions" of all the customer's data.

Score one for the "Good Guys."

Rick
Click to expand...

Hi Rick, I hope you don't mind but i posted your info on this link on this thread:
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-17

and compman25 tried it and it worked for him. Great stuff, at least two people who don't have to pay these pathetic wasters! May good Karma come back to you!

Secc
 
red12049 said:
Worked on my first one of these today, Googled first. Removal of the infection is easy... Saving customer data is another story.

Vista Business and Ultimate, and all versions of Win 7 have a feature called "Previous Version"... Found out thanks to Google that other versions of Vista also have it, and it is turned on by default, they just don't provide an interface for it. A freeware program called "Shadow Explorer" provides that interface. Using Shadow Explorer, I was able to grab three day old "Previous Versions" of all the customer's data.

Score one for the "Good Guys."

Rick
Click to expand...

Wow... brilliant find! I haven't run into this virus yet, but I've been studying it because the idea of telling a customer "there's nothing I can do, you may have to think about paying the ransom", is my worse nightmare.
 
This virus is similar to Dirty Decrypter. We've only seen it once about 6 weeks ago. Did not know about Shadow Explorer. Customer did not pay ransom to retrieve files.
 
Make sure you have the protection settings in system restore enabled on all data drives so a shadow copy is created.

Also, in Win 8 it looks like the feature is called file history and it is disabled by default so don't forget to enable it. I'm going to do that on all 8 installs from now on and as part of my tuneup.

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

I also going to reformat my thumb drives that I use for temporary storage from FAT32 to NTFS.

Once again, great find by red12049.
 
Previous Versions was mentioned in an earlier thread about Dirty Decrypt on here. Unfortunately my client who got infected with this, had System Restore switched off - not on purpose and possibly the doing of Dirty Decrypt.
I'm sure the Crypto Locker ones will get wise to this and we may soon see whole disk encryption. :eek:
 
mr m said:
Make sure you have the protection settings in system restore enabled on all data drives so a shadow copy is created.

Also, in Win 8 it looks like the feature is called file history and it is disabled by default so don't forget to enable it. I'm going to do that on all 8 installs from now on and as part of my tuneup.

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

I also going to reformat my thumb drives that I use for temporary storage from FAT32 to NTFS.

Once again, great find by red12049.
Click to expand...

Excellent information as well! Reputation given as well! I will be doing that as well.
 
JustInspired said:
Previous Versions was mentioned in an earlier thread about Dirty Decrypt on here. Unfortunately my client who got infected with this, had System Restore switched off - not on purpose and possibly the doing of Dirty Decrypt.
I'm sure the Crypto Locker ones will get wise to this and we may soon see whole disk encryption. :eek:
Click to expand...


Whole disk encryption I find unlikely in the near future. Infecting the most computers is easiest when the virus doesn't require anything that would trigger UAC or hit the heuristics threshold of most antivirus's. Basically it will be able to get the most people via focusing on things that do not require admin rights or accessing files that you wouldn't expect a typical user not to be accessing on a regular basis.
 
FremontPC said:
They have to make sure you're able to pay them...
Click to expand...

That too, but in theory if a virus in theory were able to go through that level of depth of whole disk encryption, it would also be able to put on say a 50MB puppy linux setup with a custom program to access it.

again to the best of my knowledge that is very much impractical, and almost certainly to trigger even the worse of security programs setting off red flags every step of the way
 
Last edited:
I can confirm that Shadow Explorer worked great. Had a client that got hit on 9/12 and the server files were encrypted. The last backup was from 9/6 which worked, but I got Shadow Explorer portable and was able to restore everything from 9/11.
 
GEEKYGUYS said:
I can confirm that Shadow Explorer worked great. Had a client that got hit on 9/12 and the server files were encrypted. The last backup was from 9/6 which worked, but I got Shadow Explorer portable and was able to restore everything from 9/11.
Click to expand...
I have found the Shadow Explorer but not the portable version.
Can you please provide a link?
Thank you in advance.
 
Curious, are there any options similar to ShadowExplorer for XP? I'm kind of doubting it, but perhaps there is freeware (or payware) available to do something similar.
 
You must log in or register to reply here.

Similar threads

Porthos
AgeLocker ransomware targets QNAP NAS devices, steals data
Replies
8
Views
1K
glennd
glennd
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
965
Sky-Knight
Sky-Knight
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
790
ell
E
Porthos
Windows 10 Start Menu Suggests Firefox Users Switch to Edge
Replies
11
Views
1K
DRPCNZ
DRPCNZ
GTP
New Feature in Emsisoft
2
Replies
24
Views
2K
Archon Prime
Archon Prime
Back
Top