Jump to content

Cyrptolocker ransomware has encrypted my clients files

Twotone

By Twotone
in Resolved Malware Removal Logs

 Share

Recommended Posts

MrCharlie

MrCharlie

Posted
Posted

The complete encryption tutorial is here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/

Specific suggestions:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/?p=3001838

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/?p=3054615

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/?p=3056441

MrC

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

This is a case of what is called cryptovirolgy and of the worst kind.  Actual personal data file encryption held for ransom by a malicious actor.

While a "virus" is possible with cryptovirolgy, more often than not the payload is that of a trojan and not a virus.

With the release of the Microsoft Crypto Application Programming Interface (aka; Crypto API) this concept was made much easier.

Decryption of data files is not an easy task.  Often a malware crypto analyst may work on a given problem for very long periods and not come up with a key for decryption.  Sometimes it is possible for a limited family of trojans but is short lived.  Often that work requires that particular trojan that was used to encrypt your data.

You need to understand that the expectation for a positive outcome is EXTREMELY low.  Even if you paid a security company it may be costly and still not have a positive outcome.

You should not even consider paying any ransom.  That can actually lead to you being the target of further malicious activity as you will branded a willing "mark".

I think the best course of action would be to consider the situation as a total loss as if your hard disk had a catastrophic failure requiring tou to obtain a hard disk replacement.

With that in mind, extract the data that has not been encrypted and wipe the hard disk and reinstall the OS of choice or by using a manufacturer's Recovery Disk.

** IF and only IF you have the actual malware that caused this please upload it at UploadMalware.Com

Link to post
Share on other sites
Twotone

Twotone

Posted
  • Author
Posted

Hey David

 

I would love to help out and I have not done anything with the computer as of yet. The malware and anything else that caused it should still be on the computer. Would you know the easiest way to find it? I Have teamviewer on my computer if you want to log into it. I am logged into the infected computer from here. Malwarebytes did pick some Trojans up but I just looked at the log. I did not clean them off yet.

 

 

This is a case of what is called cryptovirolgy and of the worst kind.  Actual personal data file encryption held for ransom by a malicious actor.

While a "virus" is possible with cryptovirolgy, more often than not the payload is that of a trojan and not a virus.

With the release of the Microsoft Crypto Application Programming Interface (aka; Crypto API) this concept was made much easier.

Decryption of data files is not an easy task.  Often a malware crypto analyst may work on a given problem for very long periods and not come up with a key for decryption.  Sometimes it is possible for a limited family of trojans but is short lived.  Often that work requires that particular trojan that was used to encrypt your data.

You need to understand that the expectation for a positive outcome is EXTREMELY low.  Even if you paid a security company it may be costly and still not have a positive outcome.

You should not even consider paying any ransom.  That can actually lead to you being the target of further malicious activity as you will branded a willing "mark".

I think the best course of action would be to consider the situation as a total loss as if your hard disk had a catastrophic failure requiring tou to obtain a hard disk replacement.

With that in mind, extract the data that has not been encrypted and wipe the hard disk and reinstall the OS of choice or by using a manufacturer's Recovery Disk.

** IF and only IF you have the actual malware that caused this please upload it at UploadMalware.Com

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

The only hope is to capture the trojan and reverse engineer the encryption.  This has been done with some crypto malware but not often enough.  Hopefully your client has data on backups.  That is the best course of action.
 
I don't even know of a good organization where the PC's hard disk can be taken to.

Kroll may be able to handle this but I have only worked with them on a basis of data recovery. 

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.