Endpoint Protection

 View Only

Recovering Ransomlocked Files Using Built-In Windows Tools 

Oct 25, 2013 09:36 AM

Introduction

This is the second in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in December 2017.

This second article deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage. 

About Cryptolocker and Ransomware: An Ounce of Prevention....

Recent years have shown a rise in the number of ransomware threats in circulation.  These threats hijack a whole computer or its data and demand that a payment is made in order to unlock or decrypt them.  The authors of these malicious threats have a very strong financial motive for infecting as many computers as possible, and have put substantial resources into making these threats prevalent.  New variants are seen all the time.  The following articles (and the links they contain) have more detail on the subject.

 

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

 

One recent variation calls itself "CryptoLocker."  Current definitions from Symantec detect this family as Trojan.Cryptolocker though older definitions classified it as Trojan.Ransomcrypt.F or Trojan.Gpcoder.H.  Prevention is far better than a cure for ransomware and ransomlock threats: end user education and the use of some of SEP's optional capabilities can help keep your data safe!

This infection is typically spread through emails sent to corporate email addresses, pretending to be from an array of legitimate companies. (See Support Perspective: W97M.Downloader Battle Plan for advice on how to keep malicious mails out!)  These emails would contain an attachment that, when opened, infects the computer. Often, these .zip attachments contain executables that are disguised as PDF files: they have a PDF icon and are typically named something like FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and trick victims into opening them. If SEP12.1's optional Proactive Threat Protection (SONAR) is running, it will prevent these double executable filenames from causing harm.

Sometimes Trojan.Cryptolocker is brought into the network from Trojan.Zbot, so full system scans are necessary to identify any and all threats introduced in the environment.  Do not rely on SEP's AutoProtect alone!

Once it is on the computer, Trojan.CryptoLocker will contact a "secret server" (Command and Control server) and generate a unique key with which to encrypt the victim's files.  Using SEP's optional IPS components will block this communication and keep files from being locked by this threat.  Definitely deploy IPS, if it is not already in use!

If it is able to generate a key, Trojan.CryptoLocker will then begin to sabotage all the MS Office documents. Open Office documents, and other valuable materials it can.  A list of affected extentions is available in the Trojan.Ransomcrypt.F Technical Details (though, of course, different variants will behave differently....).  Both files on the local computer and on any mapped network shares can be affected.  Once the encryption is complete, the threat will display a pop-up which explains what it has done and demand payment for those files to be decrypted.  It may also change the Windows desktop.

cryptolocker.jpg

...The Pound of Cure

If your files have been locked by this threat, Symantec advises: do not to pay the ransom.  If these scams make money for their authors, it will only encourage the attackers.  Your payment will fund R&D for new and more sophisticated attacks against you.

Follow the steps in this document to contain and eliminate the threat:

 

Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466 

Now it's time to think about recovery.

Decryption without the key from your attackers is not feasible, but that does not mean that a Trojan.CryptoLocker threat must seriously disrupt your business.  A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage. If your organization has been following best Disaster Recovery practice and maintaining a routine schedule of backups, then simply delete all the encrypted files and restore them from their last known-good backup.  Symantec supplies Backup Exec, NetBackup, and a number of backup tools in the Norton consumer products.  Other vendors supply other products which can likewise make the job of recovering from Trojan.CryptoLocker quite straightforward.

With some variants of Trojan.Cryptolocker, it is possible to use Windows Powershell to generate a list of files that have been encrypted by ransomlock.  You can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Note that more recent variants  seem to have changed their code to prevent the generation of such a list.  It will be necessary to identify the corrupted files manually.

 

Microsoft Built-In Tools: Windows Backup 

Windows comes with a built-in backup and restore utility.  Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage.  Microsoft have released a video on how to use the built-in backup and restore tool to backup your important files.  Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life.  Definitely recommended!

 

Back up your files
http://windows.microsoft.com/en-ie/windows7/back-up-your-files

 

This Windows Backup tool also has the ability to create a system image- this is an exact image of the entire drive: system settings, programs, files, everything.  If this system image is restored, it will not only replace all the corrupted files that Trojan.CryptoLocker has damaged- it will overwrite everything!  Use system image restoration with caution.

Use a Previous Version

An alternative, if it is a technology in use in your organization, is to restore from a Previous Version.  Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:

Previous versions of files: frequently asked questions
http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions

If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.

As an example: let's say that Trojan.CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish.  From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.

restore_example.png

 

On the File Server: Volume Shadow Copies

If Trojan.CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them.  If Volume Shadow Copies are enabled on the server, recovery should be easy.  More details and a mention of gourmet snacks can be found in this Technet article:

Rapid Recovery with the Volume Shadow Copy Service
http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx
 

Many cryptolockers will now attempt to delete shadow copies, but it is worth trying. 

Conclusion

After cleaning up from this Trojan.CryptoLocker threat, it would be a very good idea to run a diagnostic to ensure there are no additional undetected malicious files on the computer(s).  The following article provides an illustrated example of how this can be done:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

And it would also be a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

 

Many thanks for reading!  Please do leave comments and feedback below. 

Statistics
0 Favorited
15 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Sep 20, 2019 06:59 AM

Separate the Infection Prevent the Infection from expanding by leaving all infected computers from each other, shared storage, and the network.

Recognize the Infection From messages, proof on the computer and identification tools determine which malware stress you are dealing.

Report to the authorities to support and coordinate measures to counter-attack.

Determine Your Options You have many ways to deal with the Infection. Resolve which approach is best for you.

Restore and Refresh Use safe backups and program and software sources to restore your computer or outfit a new platform.

Plan to Prevent Recurrence Makes an assessment of how the Infection occurred and what you can do to put measures into place that will prevent it from happening again.

https://windowserrors.org/windows-10-repair-tool/

Jan 23, 2017 05:34 AM

just an observation - you impressive home page picture shows headline that Symantec is working with FBI - but we are seeing reports in media that fbi is telling targeted businesses / agaenicies  to pay the ransoms.

Aug 06, 2016 03:11 PM

My attached backup hard disk was easily corrupted when the main disk was violated. You need a separate backup device. That means more expense and labor.

The files seem to have an addon tag depending on the type of file. Surely this can be useful. I also wonder why the ransomware virus wasn't flagged with bells and a flashing red screen. This is the most damaging virus I have encountered and it seems to be worldwide.

Jul 15, 2016 02:28 AM

my file, photo, document, video and database has been encrypted by cerber ransomwear Mic do you have file windows8 backup?

May 24, 2016 05:05 PM

I have 339 decryption keys for 4339 file after they were encrypted by crypto virus in Jan this year. Reading one of Symantec's reports the Crypto ransom ware makers didn't know that their virus inadvertently left a file containing the keys to unlock the files that were encrypted, on the persons computer. NOTE Additional info; the report was written in 2014 and used as a basis for an information blog by a gentleman in Austaralia. It must be the same virus of 2 yrs ago, since it created a folder and placed the keys in it.

I have done many searches on this and there isn't one mention of how to use these keys with what software to unlock them. Everyone is guessing or recommend their's and other pieces of software that will unlock encrypted files. Well in my experience they don't.

So Symantec, this is the place that should certainly know what I have to use and do to get my files unlocked using the keys I have so please help.

Nov 20, 2015 11:15 AM

I do't recommend paying the ransom at all.  That supplies the malware authors with R&D to create an even worst threat.

Ransomware Do's and Dont's: Protecting Critical Data
https://www-secure.symantec.com/connect/blogs/ransomware-dos-and-donts-protecting-critical-data

Nov 20, 2015 11:10 AM

The only solution is restore from backup or pay the ransom. It's not possible to break the encryption. Aside from the two solutions above, you're out of luck.

Nov 20, 2015 11:08 AM

Dear Brian That was my important data...I googled a lot but no solution...I came across that it is RSA 2048 encryption...will it be no solution, any decryptor tool...any help apprecited..

Nov 20, 2015 07:43 AM

If you formatted your system and you have no back up then the data is gone.

Nov 20, 2015 07:38 AM

Mick2009 My system was infected by crypto virus. I mistakenly formatted my system..I tried to restore the previous version but there was nothing in that window.All my files (video,audio,pictures and all my word files) got infected...I am really worried how i would restore my data plz Help..

Jul 24, 2015 09:04 AM

Ninth article in this series now available!

 

Using Today's SymHelp to Combat Today's Threats
https://www-secure.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

Dec 12, 2014 01:52 PM

Agree with .Brian as have seen this pure evil in action and IPS, NTP-Firewall, Download Insight, SONAR, AND Aplication and Dvice Cntrol including Host Integrity (HI) Secure Workstation templates should be thoroughly tested and if successful with pilot endpoints - unleash to the massess.

Dec 12, 2014 12:29 PM

How do you have SEP configured? AV alone is not enough to stop this threat as it regularly changes to evade detection.

In addition, do you use, IPS, firewall, Download Insight, SONAR, or application and device control? These should be in use as well.

I've attached a good PDF to go thru

Dec 12, 2014 12:19 PM

That is what I also believe...

 

Another question is how did this pass "through" our antivirus shield.

Dec 12, 2014 12:10 PM

The problem is the files are encrypted so they're unreadable.

Again, if no backup, they're likely gone. It's not possible to crack the encryption.

 

Dec 12, 2014 11:28 AM

Unfortunatelly there was no backup for the external disc.

The files (mostly excel) are opening but the whole information's appearence is with symbols numbers 

and weird things.

 

Is there any solution?

I am thinking of recovering the disc with hirens or even with recovery device and some software

Dec 12, 2014 11:22 AM

Unless you had a backup, they're likely gone.

Dec 12, 2014 11:21 AM

Hello, one of our Pcs has been infected from crypto locker.

We restored the workstation but we cannot the files located in an axternal HDD.

How can we restore them? There are no previous versions....

Nov 19, 2014 10:05 AM

Great article.  Just had a client infected with CrytoWall v2.  My customer is a small business with only 4 pc's and no stand alone server.  Their  backoffice pc is configured as the POS server and also used by the owner..  They download constantly and that is how they got the virus. 

How would the above article differ for the NIS product (or similar non-networked product).  I want  to make sure that they are protected from any future attacks.  Thanks Chuck

Sep 03, 2014 08:05 AM

A new site which may help to recover cryptolocked files:

DeCryptolocker – New Free cleaning service from FireEye and FoxIt

https://www.decryptcryptolocker.com/

Sep 03, 2014 04:40 AM

Helli, Mega article, thanks. One extra tool that may be useful is Windows system restore, even as a last resort if no backup is available.
Rob

Jun 06, 2014 09:02 AM

Some good news.... &: )

International Takedown Wounds Gameover Zeus Cybercrime Network

https://www-secure.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

 

Feb 28, 2014 09:17 AM

Hi polu9495,

Delete the sabotaged files manually (they are harmless and useless), but check your SEP logs to ensure that the .exe which did the damage in your network has been found and eliminated.

Hope this helps!

Mick

Feb 28, 2014 09:13 AM

If I delete those infected files, can I escape from them??? will it infect other files in future??

Feb 22, 2014 11:43 PM

Awesome article Mick2009 yes

Feb 20, 2014 02:50 AM

@Mick,

Absolutely outstanding. Your articles are spot on advice and recommendation. BRAVO ZULU!!!!!

Feb 13, 2014 12:07 PM

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

Jan 09, 2014 06:36 AM

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Dec 30, 2013 05:15 AM

Just adding a cross-reference for a new variant:

Trojan.Cryptolocker.B
http://www.symantec.com/security_response/writeup.jsp?docid=2013-122312-5826-99
 

Current SEP definitions (after December 23, 2013) provide protection against this copycat threat.

Dec 10, 2013 01:42 AM

Another excellent resource on this topic:

Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

Nov 19, 2013 09:08 AM

Also see this new post from Security Response:

Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
 

Nov 15, 2013 11:23 AM

Readers of this article may be interested in the series' third installment.....

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

Nov 13, 2013 03:11 PM

This is a great article.

Nov 13, 2013 08:34 AM

Absolutely 'AWESOME' stuff. This is just great information, at the right time. Thank YOU.

Nov 06, 2013 12:54 PM

Great Article!! I Get a case a few mounths ago with this vulnerability!

Nov 04, 2013 04:30 AM

Cheers Brian!  The %$&^!! who wrote this CryptoLocker threat is hiding somewhere so that people can't give him a "thumbs down."  I suppose this article on the topic is the closest related place where victims can vent their displeasure.

I look forward to the day when I can add a link here to a news item about the capture, arrest and sentencing of this particular individual.  &: )   

Nov 03, 2013 07:46 AM

Great article as always Mick.

My question is unrelated to it but why are all these posts getting down voted?! Seems very helpful to me...

Nov 03, 2013 06:15 AM

Hi Eamon,

For information from this article: https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

"Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Ransomcrypt.F, which blocks the Trojan’s access to the generated domains."

Symantec has created this specific IPS signature: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27046 to detect this threat.

Nov 01, 2013 12:20 PM

Thanks Mick, great article!

Oct 31, 2013 05:32 AM

Thanks Mick though not much comfort for those affected! Is it possible for Symantec to create specific or more generic IDS for these DNS requests? These are a sure giveaway that a C&C client is trying to phone home and may be visible on the network long before the C&C controller becomes live.

Oct 30, 2013 01:53 PM

Hello,

Thank you for such an Excellent Article.!!!

Regards,

Oct 30, 2013 01:02 PM

Great article!!! Thanks Mick!!!

yes

Related Entries and Links

No Related Resource entered.