-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Which is the most hair-raising South African mountain pass you've driven?
Please help -CryptoLocker ransomware virus on my computer
- Thread starter Mohamedg
- Start date
TEXTILE GUY
Honorary Master
Never had this ............. but be absolutely sure, I am not planning on getting it. 
/ updates Avira, and sorts out backups
/ updates Avira, and sorts out backups
Pho3nix
The Legend
Might explain why they are encrypting drives at work.
The_Unbeliever
Honorary Master
Good question...
Jet-Fighter7700
Honorary Master
saw how the CBT locker gets on users computer;
a email with an update .zip is sent to you from fedex or UPS;
you thinking its legit, open it and bang goes your system, moral of the story dont open .zip attachments,
a email with an update .zip is sent to you from fedex or UPS;
you thinking its legit, open it and bang goes your system, moral of the story dont open .zip attachments,
Drifter
Honorary Master
How did it get onto your PC?
kissingmybbgoodbye
Expert Member
One of my customers got infected by one of the variants today. They opened some video / zip file from email, which came with an error message and opened some website.
They called me with some problem of software not working and the PC being extremely slow(was probably busy encrypting).
My first instincts are always to go back to a previous shadow copy. That saved them a lot of damage. Doing that I managed to get to a restore point before the PC was infected and it stopped the encryption process. Looks like only about 10% or less of their data is infected (basically everything in the first few folders sorted alphabetically) and they do a full backup every month of all their PC's so hopefully not to much damage. All other computers are fine.
Tomorrow going to restore via a third PC and a new memory stick.(I don't connect the backup drive to the affected PC, just in case the f**ker is still running/active on the affected PC. I don't wanna infect the backup disk)
Yup those cryptolockers/ransomware things are nasty.
Unfortunately the only save computer is a computer which never gets switched on.
They called me with some problem of software not working and the PC being extremely slow(was probably busy encrypting).
My first instincts are always to go back to a previous shadow copy. That saved them a lot of damage. Doing that I managed to get to a restore point before the PC was infected and it stopped the encryption process. Looks like only about 10% or less of their data is infected (basically everything in the first few folders sorted alphabetically) and they do a full backup every month of all their PC's so hopefully not to much damage. All other computers are fine.
Tomorrow going to restore via a third PC and a new memory stick.(I don't connect the backup drive to the affected PC, just in case the f**ker is still running/active on the affected PC. I don't wanna infect the backup disk)
Yup those cryptolockers/ransomware things are nasty.
Unfortunately the only save computer is a computer which never gets switched on.
Last edited:
oldBastard
Expert Member
Goliath
Expert Member
Yep, lost basically fken everything.. the only way we think it came on our system, one of our new laptops only had Avast Free antivirus on it, thus not the most comprehensive protection and the individual clicked on spam email/attachment..
Grep
Senior Member
Just note that Dropbox also gets infected. Luckily the rollback feature works.
Currently our backups are sitting on a tower pc running Windows 7x64, thinking of switching to FreeNas , being linux file system what effect will viruses/trojans like this have on a system running linux?
freenas is based on freebsd, not linux
Say what??? I am planning on sending all my photos to GDrive instead but since you say a cloud service can get farked... uhm... how?
Grep
Senior Member
No, it gets funnier! Not going to name names, but this person that got infected, infected his dropbox. Now this is fine and all that BUT because he was on a global dropbox, the files got synchronized into EVERYONE'S box! And this company is huge and everyone knows their name.
How embarrassing!
Oh, how does it do it? Simple, it attacks everything on your machine including shared drives and map drives.
LCBXX
Honorary Master
If I look at our Mimecast malware filters, most of the messages that contain the Cryptolocker malware (47/50) have the following subject lines:
Jennifer Lawrence's iCloud nude pix
NEW Celebrity Nudes Leaked
Vanessa Hudgens, Paige Duke, Kelly Brooke EXPOSED
Fappening - Second Cumming NEW NUDES!
etc, etc.
All have PDF, PPT, JPG attachments that are actually .EXE's
Most of these infections are being delivered using email attachments with a .js file within a zip file.
Check with your email provider as they should be scanning your inbound email for viruses.
Check with your email provider as they should be scanning your inbound email for viruses.
konfab
Honorary Master
LOL
Something interesting, the files it goes after are the following types:
They mostly seem to be targeting document type files. Just another reason to use Latex.
Frankly I am a bit insulted. The real value of my work lies in the source code and documentation that I have written in Latex.
To the potential ransomware writers, ignore this post
Fck me I got 90% of a clients data back!
How cryptolocker works is it creates a copy of the file it encrypts, and then deletes the original.
That is where we stand half (maybe less) a chance.
Windows doesn’t actually delete the data, just marks it as free space until it needs the space.
So when infected just pull the plug (shutdown may install updates or something), take the drive out and attach to another pc.
Then use an app that can recover deleted files, I used Easeus but there plenty of free tools that can do the same thing. Takes the whole day to scan the drive though.
The less space you have on the drive and closer to full capacity the less chance you’ll have I guess.
My client was just lucky – had only used 20% of the drive.
How cryptolocker works is it creates a copy of the file it encrypts, and then deletes the original.
That is where we stand half (maybe less) a chance.
Windows doesn’t actually delete the data, just marks it as free space until it needs the space.
So when infected just pull the plug (shutdown may install updates or something), take the drive out and attach to another pc.
Then use an app that can recover deleted files, I used Easeus but there plenty of free tools that can do the same thing. Takes the whole day to scan the drive though.
The less space you have on the drive and closer to full capacity the less chance you’ll have I guess.
My client was just lucky – had only used 20% of the drive.
Update:
2nd client also 90% success, third client I got zero, but I suspect they messed with the drive a bit, installing antivirus and antimalware software before I got to it..
Today I setup a test machine with about 5GB of data, mainly photos and docs.
Ran the java script (via an email I had captured) and let it encrypt everything.
Then I pulled the power plug and took out the drive.
From the deleted " lost files" in Easeus I got everything back with a loss of maybe 20meg.
Pretty much a success rate of 99%