Cryptolocker - Has anyone recovered from it?

[MolsonInBothHands]

A law firm my wife contracts to got this via an email attachment, it spread to the server, it found all the typical document files, it found the cloud backup, and encrypted them all. It pops up with a notice, saying they have 4 days to pay $300 US in BitCoins or the data will be destroyed. Attempts to break the encryption key will also cause data loss.

The IT guy has been at it for three days now, and has given up. He is in the process of trying to buy BitCoins right now.

I gotta say, I am kinda impressed by the ingenuity of these thieves, as I rummage through the tickle trunk for an old tape drive for backups.

Has anyone seen this first hand, or had any success circumventing the ransom?

[Gundo]

We had the same thing hit where I work, from what I understand we were SOL and had to pay.

[Minnie]

A couple of IT friends posted an article about it on FB - I'll see if I can find it and link it. IIRC, no one has - everyone has been SOL.

[GoinAllTheWay]

A big thank you for the heads up. That's pretty freaky.

[MolsonInBothHands]

I wonder if this drives up BitCoin prices at all? LOL

[Cheese]

so they actually unlock the files once paid?

[Minnie]

Article

Link from that article - CryptoLocker ransomware - see how it works, learn about prevention, cleanup and recovery

[Rathji]

You need to recover from a static backup. That's the only way around paying, since it is secure encryption. Part of the problem is the FBI is hunting down these servers as they become active, and shutting them down. Once that server is shut down, regardless of if you want to pay or not, you are SOL because that is the only source of the key.

Another issue, is if you have an older version of the virus, if you remove the virus, you don't have access to the server anymore. The newer version will actually give you a link, so you can reinfect yourself to get it fixed. Brian Krebs wrote an article about this yesterday.

We had a client get hit with it yesterday.

If you are running anything you care about, back it up. And that doesn't mean just copying it to an extra drive you have plugged into a PC, it means also having an offside backup, like Crashplan or Carbonite.

Cryptolocker will encrypt any file that is on a connected drive, even a network share.

Here is a toolkit, recommended by Brian Krebs (of www.KrebsOnSecurity.com) in his post on Nov 1

http://www.fooli####.com/vb6-projects/cryptoprevent/ (edit: the bad word filter took out part of the link, so you can put in the word for a #2 as the site is called Foolish IT, or I have created a bitly address http://bit.ly/19yX2XK)

It is a simple executable, which sets GPO on the local machine to disallow execution of programs in a manner which helps prevent Cryptolocker (and some other viruses) from getting its teeth in.

There is also a Cryptolocker Prevention Kit which allows for the fix to be applied to domain GP for Windows XP, Windows 7 and TS enviroments.

Quote:

Originally Posted by Cheese

so they actually unlock the files once paid?

Yes. They actually will provide the key and attempt decryption. I have heard early reports that it wasn't always working, but heard quite a few where it was working as well.

Quote:

Originally Posted by MolsonInBothHands

I wonder if this drives up BitCoin prices at all? LOL

Bitcoin prices have gone up over $150 in the past couple weeks. Could be related, for sure. Currently they are at ~ $295 on the exchange I use. Which increases the cost of paying this ransom as well, since, as I understand it, the fee is 2 bitcoins.

[I-Hate-Hulse]

Quote:

Originally Posted by Minnie

Article

Link from that article - CryptoLocker ransomware - see how it works, learn about prevention, cleanup and recovery

There's a removal tool in this article - would this solve the OP's problem?

[MolsonInBothHands]

Quote:

Originally Posted by I-Hate-Hulse

There's a removal tool in this article - would this solve the OP's problem?

No, unfortunately. Removing the actual virus, once infected, isn't that difficult. It's decrypting your data, that has you by the short and curlies. What's worse, removing the virus also loses your access to 'purchasing' the decryption key, and then you are really hooped. Newer versions of the virus now alter your desktop with a link where you can actually reinfect yourself to gain access to the option to pay your ransom again.

Are there stories of these crooks ever getting caught?

[MolsonInBothHands]

There is a prevention tool mentioned in that article that I am deploying to my shop and home computers.

My wife is now getting blamed, (lawyers are always thinking about blame, LOL) for the infection, since it appears her station was infected first. Even though she e-commutes for 90% of her hours, and never really opens emails from that computer.

I told her to stay off those animal porn sites.

[BloodFetish]

To my knowledge we haven't been hit with this but all research I did on CryptoLocker indicated you're screwed once a file is encrypted. Sucks how much it's spread on that network!

Our mail server automatically strips any executable attachments from both incoming and outgoing emails as a precaution, which has probably saved our bacon more than once.

[GoinAllTheWay]

So for those of you whom have been hit by this virus, did the infected email come from a known sender?

[Rathji]

I have no idea where our client got the virus.

[Azure]

OpenDNS blocked it from the start. Even users that actually executed the attachments weren't affected because it was blocked from communicating to the home server.

Was actually lucky about it as well.

[blankall]

I got it a couple of days ago...what a pain. I think I got it from using SpyBot. It was somewhere on my HD, and the anti-virus software deleted a file on my comp, which triggered it. Or it may have been from a network I was on.

I honestly can't think of how it got on my computer. It was a computer I use primarily for work. I download some torrents on it, but from a trusted site.

Either way, huge nuisance. The SD card from my camera was in my comp at the time, and it got all of those files. I had just come back from a vacation, and all my photos from it are encrypted.

I have no intention of rewarding these asshats by paying them (the price has gone up to $300 now). My plan is to just hold onto the files and hopefully someone comes up with a solution down the road. Other than that I am SOL.

[Rathji]

Quote:

Originally Posted by blankall

I got it a couple of days ago...what a pain. I think I got it from using SpyBot. It was somewhere on my HD, and the anti-virus software deleted a file on my comp, which triggered it. Or it may have been from a network I was on.

I honestly can't think of how it got on my computer. It was a computer I use primarily for work. I download some torrents on it, but from a trusted site.

Either way, huge nuisance. The SD card from my camera was in my comp at the time, and it got all of those files. I had just come back from a vacation, and all my photos from it are encrypted.

I have no intention of rewarding these asshats by paying them (the price has gone up to $300 now). My plan is to just hold onto the files and hopefully someone comes up with a solution down the road. Other than that I am SOL.

Well, the good news is, to break that encryption, it takes a specially crafted computer that costs $1 million dollars about a year.

If the stuff is worth $300 to you, pay it. Nothing is going to 'come up' that will suddenly allow for those files to be recovered.

[blankall]

Quote:

Originally Posted by Rathji

Well, the good news is, to break that encryption, it takes a specially crafted computer that costs $1 million dollars about a year.

If the stuff is worth $300 to you, pay it. Nothing is going to 'come up' that will suddenly allow for those files to be recovered.

My hope is that in the future they find the people responsible and recover the codes. That being said, you're probably right. My photos are probably gone.

Even if the stuff was worth $300 to me, I refuse to encourage this @#holes by rewarding them in any way.

[Rathji]

Cryptolocker servers come up on a somewhat random schedule, and are only up for a limited time, to reduce the surface area for law enforcement to take them down. Once they are no longer up, there is zero value to them keeping the keys or anything on the server in a format that can be recovered. Chances are they are wiped as soon as they go offline, to eliminate evidence.

Even if they do somehow manage to seize the specific server that your key is on, recover that key without something happening to compromise it, what are they going to do with it? Send you an email saying "blankall, we found this encryption key for your stuff, we have attached it"

Disregarding the fact that there is almost no chance of that happening, what would you do then? You would spend thousands of dollars to find someone who knew what the hell they were doing who would take that key and recover your stuff.

That said, I completely understand where you are coming from, and really am only explaining why your plan is pointless in case someone is considering it as an option, but is not as strong in their conviction not to pay, due to the value of the material.

If this hit me on my stuff, and I didn't have a backup, I would be driving to buy a MoneyPak in about 5 minutes flat. Kind of a good case to get an offsite backup though. Carbonite is $60 a year for unlimited storage. If I was a conspiracy nut, I would say that online backup providers wrote cryptolocker to boost their sales.

[MolsonInBothHands]

The law firm paid $686, and the server is chugging through the night decrypting now.