CryptoLocker - New Ransomware

There can't be an equivalent, the reason why there's no XP support for shadow explorer isn't because the developers didn't feel like making it, it is because XP doesn't back up the files, and thus there are no no shadow copies to explore.

Shadow explorer, uses a poorly documented and little known backup. On XP, the only backups you'll find are the ones the user or you set up, prior to encryption.
 
red12049 said:
A freeware program called "Shadow Explorer" provides that interface. Using Shadow Explorer, I was able to grab three day old "Previous Versions" of all the customer's data.

Score one for the "Good Guys."

Rick
Click to expand...

Just a note for everyone that is rushing out for this "Shadow Explorer"...you don't need 3rd party software for Pro and higher versions of Windows, nor any Server version. You very simply right click the directory...and select "Previous Versions" option in the context menu. Browsing previous versions is built right into Windows Explorer.
 
CLC said:
I was wondering about just the infection, not the encrypted files.
Click to expand...

The laptop we had a week or so ago...yeah MalwareBytes and our usual run of tools cleaned it up easily. But since new variants come out almost hourly...if not 5 minutes later....hard to say how the next infection will go.
 
YeOldeStonecat said:
Just a note for everyone that is rushing out for this "Shadow Explorer"...you don't need 3rd party software for Pro and higher versions of Windows, nor any Server version. You very simply right click the directory...and select "Previous Versions" option in the context menu. Browsing previous versions is built right into Windows Explorer.
Click to expand...

Which is what I been doing, since Shadow Explorer will not work properly for me for whatever reason. Tried multiple times on multiple computers with no such luck.
 
New business customer called me up, their accounting machine got hit, no backups, windows XP pro (no shadow copies), trivial to remove, but no cigar on getting files back.

This has shaken me a bit, going to have to think about current customers backup methods, some are just using a samba share.
 
A MSP client got hit on one workstation today. We immediately disconnected it from the server shares and checked it out via Logmein. Managed Antivirus was popping up messages about it blocking dangerous files. Ran RKill and it stopped two processes with random names. Apparently it had unpacked its payload, even installed drivers but was being prevented from running the encryption routine by Vipre.
Malwarebytes and other tools identified it as Cryptovirus.
I think we are going to add Malwarebytes Pro to all our MSP clients' workstations.

This is the second virus in about a month on different client workstations. Although the other virus was not Cryptovirus, the thing that both end users said when I asked if they had opened any odd email attachments was that yes, they did but that was up to a week ago...
Could it be waiting for some time to launch after arriving on the PC?
 
I've heard that more than once. Look, if you've got a good delivery system with good social engineering, you wouldn't want it to be ID'd. Word would spread and that would crimp your revenue.
 
JustInspired said:
I always wonder if paying the ransom will actually get your files decrypted.

I suppose if you're desperate enough you'll try it but I haven't heard about anybody who actually paid it.
Click to expand...

My boss paid it today and he got a key and it worked and our client go all there data back!!!

Downside to this you have to use bit coin to pay which can be dodgy.
 
Backup strategy matters...

So I mentioned earlier in this post that I had a client with Cryptolocker and was able to remove it without any issue. Any encrypted files were restored easily with Shade Copy on the server.

Another client called later in the afternoon and had been trying to battle it on their own all day. First, they didn't clean it completely... Second, they thought they could just restore their docs from Carbonite. Tsk... Tsk... Tsk...

First, they let Carbonite backup files immediately, so all the encrypted files were being backed up all day. Even though Carbonite has started keeping multiple versions, a lot of the folders were not showing the previous version. So there must be something in Cryptolocker screwing with the backup files.

Definitely moving them to a cold storage solution to go along with their Carbonite... really thinking of getting them onto Mozy. It has much better versioning.

Anyone else changing their backup strategy?
 
An interesting point I just saw on Reddit...

[–]CosmikJ: It's scary how much money they must be making from this. I've known of a security research firm who constructed their own botnet using a public proxy server. They publicised one IP and gained 5000 Zombies in the first day. The users were warned that they would become part of the botnet too. This malware is being spread without this kind of warning and on an alarming scale. Even if we use the extremely conservative estimate of 5000 users per day, which is a no-effort infection rate, this is still 240,000 infections over the roughly ~48 days since the malware went public. Given the estimated 3% payout rate (which I believe is also conservative), that equals a total earnings to date of $2,160,000 based on two conservative estimates. Which is INSANE.

This is going to send a message to other purveyors of malware and I am not looking forward to the consequences.​

Yeah, that last sentence :(
 
Got my first one with this variant on my bench just now. IN THE PAST i have been able to decrypt files but it seems no tool can do this for Crypto locker.

Cloning the hard drive now before I even try and boot into windows, it is Vista basic so hopefully it supports shadow volumes BUT I bet the virus has disabled system restore.

The client got it by opening an email from Inland Revenue .He is a very clever bloke too :(.
 
My old team just dealt with 4 infections of MSP clients in the last couple weeks.

EVERY one of them was a phishing email, they opened an attachment.

"All employees must fill out and sign the attached expense report, blah" - very official looking..

It is worse than anyone describes.

This was a Win7 machine with no shadow copies, no backups of Desktop/Documents, trained to use a network share - and they did - but the virus encrypted the entire network share as well.

We ended up having to go withdraw $300 from the ATM, get a greendot, and send them the money.

There were files on the shares that it wasn't worth the $300 to have to go back a day or two in backups to retrieve.

What a nightmare.

Infection 2 and 3 were in the same office, they 'double encrypted' a network a share, which was a disaster, we had a good backup in S3 and cleaned/restored from backup.

Infection 4 was an executive, most important things were in Dropbox, looked at the list of encrypted files and said 'not worth it, wipe it - lets' start over'

Since then - I'm totally shocked at how bad this thing is, it seems like we had a nice 15~ year run where viruses weren't destroying data, and now they are again. It's sad.

Seriously, the last 15 years, a virus meant your machine was spamming, or you saw ads, or they were getting your banking info, but your data was always fine.

SELL MORE BACKUPS. PEOPLE MUST HAVE GOOD BACKUPS.

IT IS TIME.

:)
 
Last edited:
drpcfix said:
My old team just dealt with 4 infections of MSP clients in the last couple weeks.

EVERY one of them was a phishing email, they opened an attachment.

"All employees must fill out and sign the attached expense report, blah" - very official looking..

It is worse than anyone describes.

This was a Win7 machine with no shadow copies, no backups of Desktop/Documents, trained to use a network share - and they did - but the virus encrypted the entire network share as well.

We ended up having to go withdraw $300 from the ATM, get a greendot, and send them the money.

There were files on the shares that it wasn't worth the $300 to have to go back a day or two in backups to retrieve.

What a nightmare.

Infection 2 and 3 were in the same office, they 'double encrypted' a network a share, which was a disaster, we had a good backup in S3 and cleaned/restored from backup.

Infection 4 was an executive, most important things were in Dropbox, looked at the list of encrypted files and said 'not worth it, wipe it - lets' start over'

Since then - I'm totally shocked at how bad this thing is, it seems like we had a nice 15~ year run where viruses weren't destroying data, and now they are again. It's sad.

Seriously, the last 15 years, a virus meant your machine was spamming, or you saw ads, or they were getting your banking info, but your data was always fine.

SELL MORE BACKUPS. PEOPLE MUST HAVE GOOD BACKUPS.

IT IS TIME.

:)
Click to expand...

I fully agree with you... backups are so important right now.

im still restoring approx. 400GIG of data from backups
 
drpcfix said:
My old team just dealt with 4 infections of MSP clients in the last couple weeks.

EVERY one of them was a phishing email, they opened an attachment.

"All employees must fill out and sign the attached expense report, blah" - very official looking..

It is worse than anyone describes.

This was a Win7 machine with no shadow copies, no backups of Desktop/Documents, trained to use a network share - and they did - but the virus encrypted the entire network share as well.

We ended up having to go withdraw $300 from the ATM, get a greendot, and send them the money.

There were files on the shares that it wasn't worth the $300 to have to go back a day or two in backups to retrieve.

What a nightmare.

Infection 2 and 3 were in the same office, they 'double encrypted' a network a share, which was a disaster, we had a good backup in S3 and cleaned/restored from backup.

Infection 4 was an executive, most important things were in Dropbox, looked at the list of encrypted files and said 'not worth it, wipe it - lets' start over'

Since then - I'm totally shocked at how bad this thing is, it seems like we had a nice 15~ year run where viruses weren't destroying data, and now they are again. It's sad.

Seriously, the last 15 years, a virus meant your machine was spamming, or you saw ads, or they were getting your banking info, but your data was always fine.

SELL MORE BACKUPS. PEOPLE MUST HAVE GOOD BACKUPS.

IT IS TIME.

:)
Click to expand...

Ouch!! I agree, backups are more important than ever! I have advised my clients to not open any emails with attachments unless they absolutely know who it is from. Common sense here but I understand things happen. Still nothing on my end though that I have run into.
 
I have terabytes of photos that would be beyond painful to lose. Since my Windows Home Server died anyway, I think I'm going to look into a NAS that gets unplugged for my home rig...
 
So it turns out the GPO's and using Nick's CryptoLocker prevention tool is not really a viable solution for us to maintain hundreds of our clients desktops as it also blocks the ability to install new legitimate software and update most 3rd party apps. This got me thinking is there a way to enable UAC for the temp folder or possibly move the temp folder to a location that prompts for UAC?

Am I missing another option?

I did receive confirmation that Continuum's supplied version of Malwarebytes is the Pro version which is encouraging.
 
You must log in or register to reply here.

Similar threads

Porthos
AgeLocker ransomware targets QNAP NAS devices, steals data
Replies
8
Views
1K
glennd
glennd
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
965
Sky-Knight
Sky-Knight
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
790
ell
E
Porthos
Windows 10 Start Menu Suggests Firefox Users Switch to Edge
Replies
11
Views
1K
DRPCNZ
DRPCNZ
GTP
New Feature in Emsisoft
2
Replies
24
Views
2K
Archon Prime
Archon Prime
Back
Top