CryptoLocker Ransom Virus Cleanup

In case you haven’t discovered the CryptoLocker virus, it is a particularly nasty virus that sits unannounced on your computer and basically encrypts a whole variety of useful files that you would save with the following file extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

The virus encrypts the files using a Public AND a Private key.  The only way to decrypt the files is to pay the $300 ransom asked of you which basically provides you with the Private Key to decrypt your files.  The virus gives you a countdown warning that if you don’t pay the ransom within the ever diminishing time, then the Private key will be destroyed and your data will be toast!

Having been called to deal with another CryptoLocker virus discovered on a new customer’s computer recently, the damage to the server was overcome by restoring all data from a recent backup but I was now looking at cleaning up the infected client’s computer (which had been removed from the LAN and switched off).

To stop the warning message appearing, I used Rkill (the iexplore.exe version – I find this works more often that using the rkill.exe version) to highlight the random .exe file that is running, but as there are usually two copies of the file running, once Rkill identifies the name of the file, it will kill one of the processes, but the 2nd will spawn another version of itself and so you find that the processes are still running.

A quick DOS TASKKILL command will kill both processes off at the same time (taskkill /f /im randomexefilename.exe)

Once the processes have been stopped, I then use Roguekiller to identify and clean up the computer, noting the name of the two .dll files that are created in c:\users\USERNAME\appdata\roaming and then scour the registry for those .dll files and the original randomexefilename, removing any traces that are found.  I also check to make sure the .dll and .exe files are removed too – you can’t be too careful.  The .exe file usually resides in c:\users\USERNAME\appdata\roaming\randomfoldername.

Once the registry is clean, you can then look at recovering local files from the Shadow Copies.  There is a good write up on BleepingComputer on how to do this, so I won’t expand on what’s written there.

During my cleaning of the computer today, I noticed that the folder that contained the randomexefilename.exe file was created back in July 2012 and the two .dll files in appdata\roaming were created on the 1st October 2013.  As I had a vague idea the infection came in via Email, I looked for odd emails on the 1st October in the users mailbox and noticed that there were several emails with the Subject: “Your Amazon.co.uk order #” which all contained attachments and were all .ZIP files.  Having deleted all those emails and checked the Anti-Spam logs on the server, the emails appeared to come from Hotmail.com accounts, so I tweaked the filters on the Anti-Spam Software on the server (Vamsoft ORF Fusion) to block all .ZIP file attachments (except from trusted sources).

So it would appear that this particular virus, or at least the origins of it may have been hiding dormant in the customer’s computer since July 2012 and then the opening of the .ZIP file attachment on the 1st October added more to the virus and then it finally completed its encryption of files a week or two later at which point it popped up its ransom demand.

This particular customer was lucky because they backup their files nightly and Shadow Copies were enabled on the client computer, so encrypted files could be recovered completely, but if you are reading this now and you have the warning and don’t have a backup, then you will need to pay the $300 ransom to get your files back.  If you kill the virus off and tidy up after it and don’t have a backup, you can kiss your files goodbye permanently.

Alan