cryptolocker - cannot decrypt...

Discussion in 'Business & Enterprise Computing' started by TehCamel, Sep 1, 2014.

  1. TehCamel

    TehCamel Member

    Joined:
    Oct 8, 2006
    Messages:
    4,183
    Location:
    Melbourne
    Yep, here's a fun one.

    End-user (with an absence of antivirus) has had all his files locked by Cryptolocker. Has no backups or previous-versions. (Naturally.)
    file modification date was the 30th of July...

    tried using FireEye's service and it says the files aren't encrypted by Cryptolocker.. so it's obviously some sort of variant.

    Any other options, apart from stumping up cash?
     
  2. person

    person Member

    Joined:
    Mar 7, 2003
    Messages:
    338
    Location:
    Brisbane
    you could ask at bleepingcomputer to tell you what variant you have... not sure it would help though.

    http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-101
     
  3. damn duck

    damn duck Member

    Joined:
    Jul 23, 2012
    Messages:
    1,563
    Location:
    duck pond
    Shadow copies?
     
  4. OP
    OP
    TehCamel

    TehCamel Member

    Joined:
    Oct 8, 2006
    Messages:
    4,183
    Location:
    Melbourne
    nah.. no previous versions.

    doesn't help if the Tor-based payment site isn't working.. :p
     
    Last edited: Sep 1, 2014
  5. Manusdei

    Manusdei Member

    Joined:
    Jan 12, 2007
    Messages:
    557
    Location:
    Darwin...
    Last edited: Sep 1, 2014
  6. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    8,412
    Location:
    Brisbane
    Hmm bummer on fireeye, but don't these things usually have a 3-day time limit to pay.
    Sounds like your end-user may be up the preverbal..
     
  7. ZXR

    ZXR Member

    Joined:
    Jun 10, 2005
    Messages:
    1,590
    Location:
    Belconnen
    This reminds me to re-setup my automatic backup of photos/documents/important stuff to my online backup accounts. I haven't done it since re-installing windows a few weeks ago.

    -ZXR
     
  8. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
    Consider the data lost. And take it on the chin that you/they failed to implement a tested backup routine.

    Resist the urge to pay.

    Paying the ransom will only spur on the thieves to build better style of attacks for use in the future, with the potential of targeting you/they because, well, you were an easy target and the variant contracted may have also taken identifying information of your online presence (browser history, cookies, etc)

    Again, resist the urge to pay anything.

    Crytolocker is dead. Hence the decrypt service. Cryptowall and its variants are the most likely culprit here...
     
  9. glimmerman

    glimmerman Member

    Joined:
    Nov 3, 2005
    Messages:
    2,204
    Location:
    Perth
    if the loss of data cost is $x which is more than the payment amount then pay the ransom...
     
  10. cbb1935

    cbb1935 Guest

    If you can find the method of infection (or a file relating to it)... upload the file to virustotal, and that will give you an idea what virus and specific strain you are facing a battle with.

    Generally speaking though I'm agreeing with azron here. Consider it a loss and work from there.

    Only other way you MIGHT have some (minimal success), is using Recuva and recovering deleted files (and possibly deleted backups/shadow versions) of the files.

    I've heard this work before with one variant which encrypted the files and deleted the non encrypted versions.

    Worth a shot and it's free!
     
  11. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
    No no nope.

    How do you quantify the risk to the business of 'inviting' potential attacks in the future, spurred on by paying the ransom and proving to the attackers that your susceptible...

    Do not pay. Please don't do it. Cry a bit over the data loss and get on with rebuilding whilst implementing a solid backup plan.
     
  12. OP
    OP
    TehCamel

    TehCamel Member

    Joined:
    Oct 8, 2006
    Messages:
    4,183
    Location:
    Melbourne
    i beleive if it was "corporate" data it might be a bit easier to take it on the chin and accept the loss of data.

    however, this particular instance it seems to be lots of personal data..

    it does look more like cryptowall actually..
     
  13. heydonms

    heydonms Member

    Joined:
    Sep 15, 2008
    Messages:
    629
    Obviously this is the ideal approach but it's not realistic.

    The best you can hope for is:

    If $X is higher than the requested cost + $Y, then pay the ransom, where X is the cost of lost data and Y is the expected cost of future attacks.As you point out, backups are the solution, so it is easy to minimize Y for yourself, and future attacks become someone else's problem.

    If a client comes to you for help, they are paying you to help them, not all of society and unfortunately being an idealist doesn't pay the bills.
     
  14. Sphinx2000

    Sphinx2000 Member

    Joined:
    Sep 16, 2001
    Messages:
    8,412
    Location:
    Brisbane
    Not too quick with the auto... you dont want to upload the encrypted files over the top.. ;)

    (unless they provide archived versions)
     
  15. glimmerman

    glimmerman Member

    Joined:
    Nov 3, 2005
    Messages:
    2,204
    Location:
    Perth
    Sorry but it's easy for you to say when it's not your data. If it's important enough and your only option - pay.

    consider the payment a "fee" for not having an appropriate backup plan.
     
  16. s.Neo

    s.Neo Member

    Joined:
    Oct 23, 2002
    Messages:
    398
    Location:
    Darwin, NT, Australia
    What about recovering the deleted files with something like ntfsundelete . com *?

    *or filesystem equivalent.
     
  17. de_overfiend

    de_overfiend Member

    Joined:
    Jul 12, 2001
    Messages:
    2,342
    Location:
    Gold Coast
    the files arnt deleted... they are encrypted.

    I have had several run-ins with this particulary nasty virus. They seem to come from a .pdf or .xls attachment via email. It activates when you open the attachment and the injection code is not usually noticed by most av programs.

    about 6 months ago I used a tool that would decrypt some common files affected by the earlier versions of this virus..(jpg, doc, xls, etc) ... managed to recover 30 gig of a metal roofing manufacturer's data including their .pst file.

    Since then I have tried it on the newer variants twice now with no success. it spits out errors and bsod with irq interrupt error whenever I try to use it now.

    I have not been able to find the link again on bleepingcomputer.com

    the earlier versions didn't encrypt your files, just added some junk data to the header and removed the first section of the code of the file and pasted it to the end of the code...yes they are tricky mofos.

    the newer ones seem to be properly encrypted.... and have instructions to inject code to disable volume shadow copies making tools like shadowexplorer and previous versions useless.

    the only thing that seems to protect users to a certain extent is user account control... as it pops up as the virus is trying to encrypt your files it prompts the user to make a choice to allow it to run or not. the savy would probably pick up on this and say no and after numerous notifications would be booting in safe mode and run a scan with av and malwarebytes...(yes they will remove the actual virus and a program like rougekiller will find the registry modifications and delete them but wont decrypt your files).... but the average user just clicks yes 50 times and gets infected. users with user account control turned off will not have this grace.

    there's plenty of info on bleepingcomputer.com as others have suggested. even an immunisation application that stops crypto from making changes to the registry.

    basically after 72 hours of full infection if no shadow copies or backups exist then only means of recovery is pay the 10 bitcoin ransom and pray to whatever deity you hold close that you will actually get your data decrypted. Until the gurus figure out the encryption theres not much chance of getting it back.

    I actually have a domestic customer atm with crypto and have been working on decrypting it since Friday. I took a clone of the drive and am working with the clone. I have actually had to clone from the original twice now as I stuffed up and it got worse. I hold a slim hope of being able to recover some of the encrypted files, but im no programmer and im basically going by trial and error... currently at the stage where im looking at file code in a hex editor and trying to figure out if they didn't actually encrypt it but change the way they cut and paste the file code.
    basically clutching at straws..
     
  18. de_overfiend

    de_overfiend Member

    Joined:
    Jul 12, 2001
    Messages:
    2,342
    Location:
    Gold Coast
    I know data backup is the end user's responsibility, but that's a bit harsh.

    Its not his fault that there's some bastard who likes extorting people for money by infecting his computer and encrypting his data.
     
  19. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,784
    Location:
    Canberra
    As opposed to a drive crash.
    Or a controller failure writing junk data.

    Its computing. Shit happens. The answer to shit - is backups. Don't be a tightarse.
     
  20. Joshhy

    Joshhy Member

    Joined:
    Feb 15, 2012
    Messages:
    49
    Fuck I wish I could walk into a clients office and say this. :rolleyes:
     

Share This Page

Advertisement: