CryptoLocker - New Ransomware

Had my first experience with CryptoLocker and have the infected PC in the shop today. He has the latest version of CL which encrypts all volume shadow copies. I loaded Shadow Explorer and tried each of the four recent restore points and all were encrypted.

Customer wants me to pay extortionist for recovery. Extortionist is asking for 2 Bitcoins (which at today's rate of $355US would be about $710US) or he wants a $300 Green Dot MoneyPak. My client's secretary is out now buying the MoneyPak now.

I hope this clown gets busted.
 
Also the one we had get hit yesterday....had the version which killed the local shadow copies. So stuff on her desktop were gone. The slide bar for shadow copies was all the way to the left on 0.0%.
 
"He has the latest version of CL which encrypts all volume shadow copies."

See if you can get a copy of the exe and shoot it to Virustotal.

What A/V was the customer running?
 
FremontPC said:
"What A/V was the customer running?"
Click to expand...
LOL - Waaaaaay expired Trial Version of McAfee from 2011. This is the president/owner of a fairly prominent local company (he is very wealthy). A $1000+ Core i7 Lenovo desktop PC.

I just entered the MoneyPak number a few minutes ago and it is NOT doing anything but sitting there with dots going across the screen :confused:
 
Wheelie said:
She may of had system restore turned off?
Click to expand...

No...we deployed identical images all of these workstations just a few months ago, all others have it enabled and around 12% space on the slide bar (default setting)

Since the latest variants of CL encrypt shadow copies...it does make sense that the OS cannot detect and measure them, and that it cannot report a size.
 
YeOldeStonecat said:
Since the latest variants of CL encrypt shadow copies...it does make sense that the OS cannot detect and measure them, and that it cannot report a size.
Click to expand...
True.

On another note: Screen says: "Waiting for Payment Activation" after I put in the MoneyPak number about 30 minutes ago. If this does not work I may try a reboot and see if that works. If that does not work should I reinstall the virus? He has a web site listed on the desktop background with a URL for the virus.
 
Just a heads up to anyone else in similar circumstances.

I've been concerned about CryptoLocker more from a "how will it affect my customer?" standpoint, rather than worrying about how it might impact me personally, as my shop is mostly all Linux. Then, I got to thinking. I have a Windows XP VM that runs almost all the time on the front office check-in machine.....which has a mapped drive to a samba share on my server, as well as mapped drives to two shared folders on the host OS! The proverbial lightbulb just came on a few moments ago. :o I should probably fix this.
 
FoolishTech said:
I had read that it was running VSSADMIN in the background to delete shadow copies, not encrypt them. Source? I don't remember mine...
Click to expand...

This very thread here....they mentioned it encrypts the copies. So since the rig we had to fix yesterday didn't have any copies, I assumed this thread was correct with saying they were encrypted since the symptoms fit.

Deletes them, encrypts them...either way...the ultimate fate of the clients is the same.
 
FoolishTech said:
I had read that it was running VSSADMIN in the background to delete shadow copies, not encrypt them. Source? I don't remember mine...
Click to expand...

YeOldeStonecat said:
This very thread here....they mentioned it encrypts the copies. So since the rig we had to fix yesterday didn't have any copies, I assumed this thread was correct with saying they were encrypted since the symptoms fit.

Deletes them, encrypts them...either way...the ultimate fate of the clients is the same.
Click to expand...
You are both correct.

1) Using Shadow Explorer - It encrypted the 3 or 4 system restore versions on my customer's PC. I restored all of them to an external HDD using Shadow Explorer while the PC was offline and all data was encrypted (but there). In other words Shadow Explorer could see the 3 or 4 recent dates and I could export each of them to the Ext HDD but all 3 or 4 versions were encrypted.

2) Using Windows built-in "Restore Previous Versions" selection in Windows Explorer I could not see any previous versions. So it was "blind" to any recoverable files in the shadow copy.

It all ended well for my customer. Paying the $300 MoneyPak ransom fee decrypted the data **BUT** it took like an hour to start the process and during that time it appeared the program was not doing anything. Then all of a sudden a windows popped up and said it was decrypting my files and 20 minutes later we were done. Happy ending of a different type ;)

.
 
FoolishTech said:
I had read that it was running VSSADMIN in the background to delete shadow copies, not encrypt them. Source? I don't remember mine...
Click to expand...

It deletes them.

7vY0eJm.jpg


And from Bleeping Computer
Newer variants of CryptoLocker will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method.
Click to expand...
 
Wheelie said:
I did not experience that today with the Cryptolocker virus. The shadow copies were there but they were encrypted.

.
Click to expand...

Interesting maybe there are multiple versions or they tried the delete method before they started to encrypt the shadow copies.
 
SilverLeaf said:
Just a heads up to anyone else in similar circumstances.

I've been concerned about CryptoLocker more from a "how will it affect my customer?" standpoint, rather than worrying about how it might impact me personally, as my shop is mostly all Linux. Then, I got to thinking. I have a Windows XP VM that runs almost all the time on the front office check-in machine.....which has a mapped drive to a samba share on my server, as well as mapped drives to two shared folders on the host OS! The proverbial lightbulb just came on a few moments ago. :o I should probably fix this.
Click to expand...

Huh. Similar situation for me: I'm primarily on Linux, but I have a few Windows VMs, including a Windows 7 VM that is almost always running and has access to most of my business files via a Samba share.

It seems stupidly obvious now that you mention it, but I never thought about it. I'm adding "immunize Windows VMs" to today's to do list...
 
SilverLeaf said:
Just a heads up to anyone else in similar circumstances.

I've been concerned about CryptoLocker more from a "how will it affect my customer?" standpoint, rather than worrying about how it might impact me personally, as my shop is mostly all Linux. Then, I got to thinking. I have a Windows XP VM that runs almost all the time on the front office check-in machine.....which has a mapped drive to a samba share on my server, as well as mapped drives to two shared folders on the host OS! The proverbial lightbulb just came on a few moments ago. :o I should probably fix this.
Click to expand...

Are you checking and opening unknown and typically suspicious e-mail attachments from it? If not...I wouldn't be losing sleep over it.
 
You must log in or register to reply here.

Similar threads

Porthos
AgeLocker ransomware targets QNAP NAS devices, steals data
Replies
8
Views
1K
glennd
glennd
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
965
Sky-Knight
Sky-Knight
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
790
ell
E
Porthos
Windows 10 Start Menu Suggests Firefox Users Switch to Edge
Replies
11
Views
1K
DRPCNZ
DRPCNZ
GTP
New Feature in Emsisoft
2
Replies
24
Views
2K
Archon Prime
Archon Prime
Back
Top