New Ransomware Today (Cryptolocker Style)

[Wheelie]

A business client has a new variant of Cryptolocker/Cryptowall on their laptop and it has a new popup window I've not seen before. All the encrypted files have the file extension ".ENCRYPTED" added to the affected files. It encrypted Word docs, Excel spreadsheets, and jpg images but did not attack xml, Publisher, html or pdf files.

I have not had a chance to sit down and examine the PC for shadow copies, etc but will later. I could not find any information on this threat although I found lots of other unrelated variants. So far I have simply pulled the HDD and slaved to a bench PC and made a disk image and manual file backup along with a cursory examination that confirms the files are encrypted.

Anyone seen this one yet?

"Every important file (document,photos, videos, etc) on this computer has been encrypted using an unique key for this computer. It is impossible to recover your files without this key. Do not attempt to recover the files yourself, if you do the key will be deleted from the server and you won't ever be able to recover your files Click "recover my files" below to get the key. ... bla bla bla ... get the "tor browser" tartarusglcwhqsu dot onion (do not go there)

 

[YeOldeStonecat]

Looks like the one our tech was remoted into when I went into his other office....it was a small law firm client of ours. The funny part..or not so funny....is, just when we picked up this small law firm client, he cancelled his offsite backup..he thought it was a ripoff..450 something bucks a month. He said he would maintain his own backups, Server 2012 essentials, on a WD external drive. Yeah..we know how that goes! //rolls eyes
At that time we pitched him a Datto Alto..and he declined.

Fast forward 9 or 12 months to ...two days ago...Crypto'd! And...by the time they discovered it and called us..it had been 4 or 5 days....and their server was tight on space so only kept a couple of "previous versions" copies...and had already rolled past the date of encryption..

 

[BlackLabTechs]

So I'm assuming he wasn't on the MSP plan then.... If so, I'm assuming you would have caught the infection and been able to clean up before it was too late. Or at least made an attempt.

 

[MDD1963]

, just when we picked up this small law firm client, he cancelled his offsite backup..he thought it was a ripoff..450 something bucks a month. He said he would maintain his own backups, Server 2012 essentials, on a WD external drive. Yeah..we know how that goes! //rolls eyes
At that time we pitched him a Datto Alto..and he declined.
..

$450 a month for offsite backups? Good Lord, can't say I blame him...!

(Sorry for him, but, perhaps now he will listen to you... from this time, ever after...)

 

[FremontPC]

A business client has a new variant of Cryptolocker/Cryptowall on their laptop

Might be a variant of Crypt0L0cker (swapped zeros for "o"). Take a look at this and see if the description matches:

http://www.bleepingcomputer.com/for...me-to-crypt0l0cker-and-bypasses-us-computers/

Which begs the question, what part of the globe does your customer hail from?

Pop a post in the above thread with the screenshot. There's a solution over there if it's a good match-up, but maybe the vendors got smarter with their encryption, despite the fact that they buggered the grammar again. No HTML ransom note?