Jump to content

identify what happened to thse files


Recommended Posts

recently I was "hit" with cryptolock. I clicked on nothing once the screen showed up (I believe this one was done using a "drive-by download " type attack while reading a .pdf frow a website) & then turned off the machine. I rebooted with a scanning CD, cleaned up, entered safe mode, maually cleanned, & booted normally. Problem solved. I had access to everything. A week of two later (sorry, time is vague due to being very busy) I went to read a recipe & .docs, .pdf, & .rtf all like the same sent. A breif personal history-I an 60, have owned a sucessful PC repair biz for 14 years, done hardware design & software, and am considered quite good at malware removal. Using every tool a "so called master" would use tells me I have a clean PC. I am running xp pro 64 bit (server2003) fully updated. I am mainly interested in finding out what has been done to my documents & secondarilly if it is possible to "repair" them. I am attaching a small .rtf file showing the problem. Thanks ahead of time for any help (especially a thorough explaination).3 guys genie joke.rtf

Link to post
Share on other sites

no it is not possible to and also this is the sub-forums for mods can detect new malware threats so please Post Here to make sure you dont have any redimants that can activate it again.

Link to post
Share on other sites

Hello Chasbrowne and welcome to MalwareBytes forum.

 

The cryptolocker infector can be found and removed by our program. Sorry to say though, that your documents are most likely already encrypted and that nothing can be done to un-do that.

 

There is no known cure for fixing any user documents corrupted by this beast.

 

Have you "opened" any unsolicited or any "unexpected" attachment of any kind ?
The purveyors of this beast send out "devilishly enticing" emails of any kind to make you think it is to your benefit.
And even disguise as being perhaps from a company that is known or familiar.

The only thing that will prevent Cryptolocker from coming in is a bunch of tighter security practices on your part, for every single day practice.

 

Here is what we know about the threat:

Cryptolocker is a hijack program. The virus itself may be removed, however once files are encrypted there has been no solution found.

 

How did you become infected by Cryptlocker?

CryptoLocker currently has three infection vectors:
1.This infection was originally spread via sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHL, etc. These emails would contain an attachment that when opened would infect the computer.

2.Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.

3.Through Trojans that pretend to be programs required to view online videos. These are typically encountered through porn sites.

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: .odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

 

 

So far, no one has come up with any way to decrypt the files. This is because RSA-2048 is not a made up encryption. Infact... no one has ever cracked any RSA-2048 encrypted documents.

 

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

Once the infection is active on your computer it will scan your drives (local & network) and encrypt various types of files with a mix of RSA & AES encryption.

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.

 

Are there any tools that can be used to decrypt your files?

 

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.

 

If you do not have System Restore enabled on your computer or reliable backups, then you may need to pay the ransom in order to get your files back. Please note that there have been cases when people have paid the ransom and the decryption did not work for whatever reason. Furthermore, if you do not pay the ransom within the allotted time, the Cryptolocker decryption tool will be removed from your system and make it much more difficult, if not impossible, to restore your files.

 

Do you happen to have a back up of all important data on an external source that is not connected to your PC regularly? This is a very stubborn infection to remove and in most cases victims are forced to completely restore or reimage their PC's due to the severity of the infection.

 

What can I do to protect myself or my business from Crypto Locker?

 

The best protection is a robust data backup plan, up to date antivirus and up to date patches from an experienced IT professional. If you have inhouse IT then have them walk you through the disaster recovery plan. If you are a small or medium company then outsource critical functions like this and get a Service Level Agreement which covers complete data loss.

 

Malwarebytes Anti-Malware is designed to combat malware.
This includes things like trojans and rootkits.
This does not include viruses and adware.
Though we may catch viruses and adware it is not our focus.

 

Malwarebyes should be installed as a secondary level of security to work parallel with your Antivirus program. To avoid any vulnerabilities on your PC or within your network, be sure that Windows Updates are current as well as the database signatures for your Malwarebytes and Antivirus programs, in addition to Java and Adobe updates.

 

 

Suggestions that you should follow:
Get and put in place our  Anti-Exploit ( free )
http://www.malwarebytes.org/products/antiexploit/

 

 

Link to post
Share on other sites

I appreciate all responces, thanks. I am aware of what it is in great detailo. I repat, nothing was encryted after I cleaned the machine, this seems to have occured later. I open no emails, no new programs, etc. I read extensively on numerous topics & one site appears to have been "infected". I mentioned cryptolock only because it has been the only event I am aware of one my PC. for referance I have used Microsofts offline scanner, then booted with a Linux disk & manually cleaned, then ran eset, malwarebytes, superantispyware, emsisoft, mbar, & old timers log stuff (call me thorough if you must). All came up clean. This is why I am "perplexed". I am checking network issues although I run through OpenDNS encrypted. If I understand the first post correctly I am to re-post with the attached file to the link suppied?

Link to post
Share on other sites

Your "lost" documents cannot be repaired.  If you have recent backups from before this incident, you should be looking at retrieving or restoring from there.

 

 

You have run MBAR as well as our Anti-Malware, right, and both found no present malware infection.

 

You indicate being a pro and also report using other tools too.  It would be counter-productive to post for malware removal help.

Sorry, but the rtf file won't be of help.

Maybe one of the other tools had removed parts of the "crypto" pest.

 

I am just going to list a blog post for more information on this type of pest.

"Cryptolocker Ransomware: What You Need To Know"

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

 

You indicated that you had clicked on some questionable PDF file.

That is why I suggest installing the Anti-Exploit on the system so that future such cases are prevented.

 

Safer computer usage & internet use-behavior, as well as having the Premium realtime protection of the Anti-Malware, along with the Anti-Exploit is the best prevention against any re-occurrence.

 

As to XP:

be sure to read and apply the suggestions by Susan Bradley
Securing XP PCs after Microsoft drops support
http://windowssecrets.com/top-story/securing-xp-pcs-after-microsoft-drops-support/
 

 

Five good reasons to leave Windows XP behind
https://isc.sans.edu/diary/SIR+v15%3A+Five+good+reasons+to+leave+Windows+XP+behind/16922
 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.