CryptoLocker developers charge 10 bitcoins to use new Decryption Service

I'm pretty sure we are set. FW blocks any zbot. Mail not allowed to receive *.exe. FW blocks malicious/suspicious sites, etc and added DGA awareness. Plus, we use domain wide backup strategy. The individual machines if hit would be our weak link only if it somehow bypasses the FW. 

My question: Has a MITM been used during payment/decryption process?

A cautionary tale; Many many years ago we faithfully backed up a server using Backup Exec, used many tapes over months, then one day we needed to restore.  Unfortunately no one had ever tested the backups,  Backup Exec had been misconfigured and there was no way to restore, all the tapes were useless.

 

So in addition to implementing a good Backup plan, be sure to test your Backup plan, if you can't restore it's not much of a Backup plan.

Yea, that's the one thing we always did when implementing backups, testing... it sucks when there is just one file, a VERY important file, that a secretary deletes by accident, and during the restore you find that the backups didn't work... so we always do a test backup, pick a good bunch of files that aren't in use at the time and hang out till the backup is done, then do a restore. 

Great tip...

 We paid originally and it decrypted files. But some files are still encrypted. I tried new Decryption Service via tor project and uploaded about 10 files.. After this, within a minute it came up saying "This file is not encrypted, Please select another file"

 Has Virus damaged our files, permanently?

 I have also tried old and new cryptolocker versions to decrypt problem files, it comes up saying,
"Perhaps the file may be damaged or used by another process" Error code: 6007 (0x00001777) The specified file is not encrypted"

 So, looks like these files are not encrypted. But, they are not opening. There are quite a few files like this. Not sure what happened to them and is there a way to recover.

 I read below on another site. And in our case, decryption tool is saying that some files are not encrypted (which are not opening), probably because Virus managed to encrypt the file with AES key but then didn't encrypt using public key. What to try next, any suggestions?

Not sure I would trust the service. Who's to say they're not copying any files that are uploaded, unencrypting them, and keeping them for later use???

Your right. We have no idea. I can confirm that it worked on a sample that was previously submitted here and that the user paid the ransom on.

Not sure I would trust the service. Who's to say they're not copying any files that are uploaded, unencrypting them, and keeping them for later use???

Your right. We have no idea. I can confirm that it worked on a sample that was previously submitted here and that the user paid the ransom on.

They would certainly be keeping and checking out all files uploaded to their "service".  I would strongly advise against uploading anything containing sensitive or private information.

Can't help thinking that this could be an opportunity to hit back at them?  Have some sort of payload hidden in a file which triggers when they open it ... it might not even do any damage, but instead provide information that could be used to identify / track down the bastards.

Matter of interrest...I would beware of files being Encrypted TWICE...as this means ( only a "guess" here ) once you pay the CURRENT ransom...it will decrypt your files, but the files will STILL be encrypted...seeing its been encrypted twice...meaning, the FIRST layer of encryption is still there, so you'll need the first layers key-code to decrypt THAT again

This scenario might show its face if you ran an Anti Virus that deleted your PREVIOUS virus and registry-keys...and got re-infected!

Edited by RobinHoodSnr, 06 November 2013 - 02:09 AM.

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

How is CrashPlan different from online backup?

Unlike ordinary online backup, CrashPlan lets you back up to other destinations in addition to online. You can back up to your other computers, external hard drives and to computers that belong to friends and family for free. If you want to back up online too, purchase a CrashPlan+ subscription.

Whilst I do pay for a CP+ subscription to keep a copy of my data offsite, I also have CP backing up to a USB HD on my server.  The folder / file structure on the USB shows CP de-dupes / compresses and stores the file in it's format eg

I've also used CP with a couple of customers and the only downside is you can't easily point the backup destination at a NAS UNC share.  There is an unsupported method which involves some batch file hacking here.

Hope this helps.

Chris.

I have two drives with an operating system on both 1 is c drive which is the main OS and d drive for backups and other things , if I happened to get this virus would it just affect my C drive or both, does anyone know?

I have two drives with an operating system on both 1 is c drive which is the main OS and d drive for backups and other things , if I happened to get this virus would it just affect my C drive or both, does anyone know?

that depends if the drives are mapped to each other. this virus will encrypt anything it can see.

I really appreciate this thread/forum topic guys, and have taken some great experience from others, and others mistakes.

Since applying new group policy changes suggested here our group infection rate has dropped from very low to 0.

Thanks again great community!

Edited by TsVk!, 07 November 2013 - 12:32 AM.

Bitcoin price has been going up rapidly lately.  I wonder if this is part of why?

And to think I shunned bitcoin last year at $30. Could have made a bomb of cash on this wave...

 

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

I was wondering if this bugger can encrypt an encrypted and/or a password protected back-up drive/partition etc.?

I'll have to try when I get it all set up....lol