Original Cryptolocker Ransomware Support and Help Topic

Last update I had from Trend Micro was at 10am EST to confirm they have added the threat to pattern CPR 10.264.03.

They say they are working on a decrypt tool.

 

On a related note, since a lot of us are seeing that TrendMicro is a common thread in this, any recommendations on a different AV?  Personally I am going with MS Security Essentials until a final decision is made.

Kaspersky failed to detect this until after it had encrypted the files. But it did promptly shutdown the service and quarantined it.

we are considering paying it, does anyone know if there is a way to track this down thru the credit card we might use?  probably going to use a gift card with no ties to our account

I would advise against it but understand you gotta do what you gotta do.

Definately use a gift card. Try not to do it from your static IP as the attacker will no doubt keep a record of you as a "willing customer" for targeted attacks.

Edited by jonathan020, 09 September 2013 - 02:21 PM.

we are considering paying it, does anyone know if there is a way to track this down thru the credit card we might use?  probably going to use a gift card with no ties to our account

Other users in this thread have mentioned success with getting access to their files back. Using a gift card or the likes of is a good idea.

Of course none of us recommend this. You never know what traces of the virus could be left after that. If there is any chance of restoring from a backup, you should exhaust that option first. If you should pay for it, put all of those files on an empty usb device, plug it into a non-networked workstation, and scan the be-jesus out of them. Even then, I don't think i could ever trust those files again.

Edited by admiralnorman, 09 September 2013 - 02:22 PM.

I actually chuckled when getting ready to reply to this..  We IT Admins are SO anti-giving-in and paying the ransom it is apparent that a majority of you have not even clicked the button to go to the next page in the malware popup to submit payment...

They do not accept credit cards.  For US victims they demand you use a Green Dot MoneyPak card.  I had to go to a local drugstore (Walgreens) and buy it with cash... Wait and hour to activate it, and then just type in the number that was on the card.

If there is ever a legal investigation that can somehow trace the MoneyPak payment, I would be happy to participate in any way possible!

OH, i recommend you NOT move your files.   when you pay the ransom it goes through the file list it had encrypted (and willingly displays you on the initial popup).  If you move the files or deny access to them then the decryption process will not happen properly as it did for me..  In my case, EVERY FILE it had access to was already futzed so limiting it's access would have been a futile activity.

What i didn't test is once it goes through the decryption, it tells you to check ll your files (in my case was hundreds of thousand ms office and jpg files) and any files that were NOT decrypted, you should place them on your desktop and press the retry button...   

I randomly tested sections of my files, and determined that all seemed to be decrypted.  at that point i pulled the network plug and then the power plug on the infected machine until i can backup the hard drive on it and format it. (pulling power plug was mainly to stop users from trying to use it) 

IF you do move your files or change permissions paying MAY still work if you put the files on your desktop as the virus tells you to do after it goes through it's pre-recorded encrypted file list.... But I cannot comment if this works or not.

Each situation is different, i am just trying to supplement the knowledge on this infection the best i can.   

so, Greendot primate loser company is worthy of my ire as well?

we are restoring, but dang i'd like to catch this idiot at his ATM, even if it is in beijing

I am currently looking into this malware. Would one of you, that hasn't paid the ransom yet, be open for a small remote session using TeamViewer to gather a few additional information?

Thanks .

someone here jumped and removed the virus from the infected system. what i can do for you is give you a file before and after it was encrypted. i can also pull files out of the malwarebytes quarantine and send that to you. would that be useful?

someone always is. that's 3 times I've been beaten to the punch to something today

Does your offer still stand, solomonshv?

 of course. just tell me where to send this stuff. i didn't see an e-mail address in your profile.

So does anyone have any vector information?  How is this contracted?  What can we do to prevent it?  Its a game changing virus and if it cant be prevented and cant be stopped except by a backup... who wants to have to do a full server restore every damn time an end user gets some damn spyware?

Whoo, this thing has my stomach in knots.