Video Screencast Help

Recovering Ransomlocked Files Using Built-In Windows Tools

Created: 25 Oct 2013 • Updated: 25 Nov 2013 | 21 comments
Language Translations
Mick2009's picture
+25 25 Votes
Login to vote

Introduction

This is the second of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions). 

The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.

This article deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.  

About Cryptolocker and Ransomware: An Ounce of Prevention....

Recent years have shown a rise in the number of ransomware threats in circulation.  These threats hijack a whole computer or its data and demand that a payment is made in order to unlock or decrypt them.  The authors of these malicious threats have a very strong financial motive for infecting as many computers as possible, and have put substantial resources into making these threats prevalent.  New variants are seen all the time.  The following articles (and the links they contain) have more detail on the subject. 

 

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

 

One recent variation calls itself "CryptoLocker."  Current definitions from Symantec detect this family as Trojan.Cryptolocker though older definitions classified it as Trojan.ransomcrypt.f or Trojan.Gpcoder.H.  Prevention is far better than a cure for ransomware and ransomlock threats: end user education and the use of some of SEP's optional capabilities can help keep your data safe! 

This infection is typically spread through emails sent to corporate email addresses, pretending to be from an array of legitimate companies.  These emails would contain an attachment that, when opened, infects the computer. These .zip attachments contain executables that are disguised as PDF files: they have a PDF icon and are typically named something like FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and trick victims into opening them. If SEP12.1's optional Proactive Threat Protection (SONAR) is running, it will prevent these double executable filenames from causing harm.

Sometimes Trojan.Cryptolocker is brought into the network from Trojan.Zbot, so full system scans are necessary to identify any and all threats introduced in the environment.  Do not rely on SEP's AutoProtect alone!

Once it is on the computer, Trojan.CryptoLocker will contact a "secret server" (Command and Control server) and generate a unique key with which to encrypt the victim's files.  Using SEP's optional IPS components will block this communication and keep files from being locked by this threat.  Definitely deploy IPS, if it is not already in use!

If it is able to generate a key, Trojan.CryptoLocker will then begin to sabotage all the MS Office documents. Open Office documents, and other valuable materials it can.  A list of affected extentions is available in the Trojan.ransomcrypt.f Technical Details (though, of course, different variants will behave differently....).  Both files on the local computer and on any mapped network shares can be affected.  Once the encryption is complete, the threat will display a pop-up which explains what it has done and demand payment for those files to be decrypted.  It may also change the Windows desktop.

cryptolocker.jpg

...The Pound of Cure

If your files have been locked by this threat, Symantec advises: do not to pay the ransom.  If these scams make money for their authors, it will only encourage the attackers.  Your payment will fund R&D for new and more sophisticated attacks against you.  

Follow the steps in this document to contain and eliminate the threat:

 

Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466 

Now it's time to think about recovery.

Decryption without the key from your attackers is not feasible, but that does not mean that a Trojan.CryptoLocker threat must seriously disrupt your business.  A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage. If your organization has been following best Disaster Recovery practice and maintaining a routine schedule of backups, then simply delete all the encrypted files and restore them from their last known-good backup.  Symantec supplies Backup Exec, NetBackup, and a number of backup tools in the Norton consumer products.  Other vendors supply other products which can likewise make the job of recovering from Trojan.CryptoLocker quite straightforward.

With some variants of Trojan.Cryptolocker, it is possible to use Windows Powershell to generate a list of files that have been encrypted by ransomlock.  You can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Note that more recent variants  seem to have changed their code to prevent the generation of such a list.  It will be necessary to identify the corrupted files manually. 

 

Microsoft Built-In Tools: Windows Backup 

Windows comes with a built-in backup and restore utility.  Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage.  Microsoft have released a video on how to use the built-in backup and restore tool to backup your important files.  Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life.  Definitely recommended!

 

Back up your files
http://windows.microsoft.com/en-ie/windows7/back-up-your-files

 

This Windows Backup tool also has the ability to create a system image- this is an exact image of the entire drive: system settings, programs, files, everything.  If this system image is restored, it will not only replace all the corrupted files that Trojan.CryptoLocker has damaged- it will overwrite everything!  Use system image restoration with caution.

Use a Previous Version

An alternative, if it is a technology in use in your organization, is to restore from a Previous Version.  Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:

Previous versions of files: frequently asked questions
http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions

If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.

As an example: let's say that Trojan.CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish.  From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.

restore_example.png

 

One the File Server: Volume Shadow Copies

If Trojan.CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them.  If Volume Shadow Copies are enabled on the server, recovery should be easy.  More details and a mention of gourmet snacks can be found in this Technet article:

Rapid Recovery with the Volume Shadow Copy Service
http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx
 

Conclusion

After cleaning up from this Trojan.CryptoLocker threat, it would be a very good idea to run a diagnostic to ensure there are no additional undetected malicious files on the computer(s).  The following article provides an illustrated example of how this can be done:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

And it would also be a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques.  Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

 

Many thanks for reading!  Please do leave comments and feedback below. 

Comments 21 CommentsJump to latest comment

Shulk's picture

Great article!!! Thanks Mick!!!

yes

+2
Login to vote
Mithun Sanghavi's picture

Hello,

Thank you for such an Excellent Article.!!!

Regards,

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

+2
Login to vote
EamonnP's picture

Thanks Mick though not much comfort for those affected! Is it possible for Symantec to create specific or more generic IDS for these DNS requests? These are a sure giveaway that a C&C client is trying to phone home and may be visible on the network long before the C&C controller becomes live.

+2
Login to vote
Jgl2010's picture

Hi Eamon,

For information from this article: https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

"Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Ransomcrypt.F, which blocks the Trojan’s access to the generated domains."

Symantec has created this specific IPS signature: http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27046 to detect this threat.

+2
Login to vote
riva11's picture

Thanks Mick, great article!

+2
Login to vote
.Brian's picture

Great article as always Mick.

My question is unrelated to it but why are all these posts getting down voted?! Seems very helpful to me...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

+3
Login to vote
Mick2009's picture

Cheers Brian!  The %$&^!! who wrote this CryptoLocker threat is hiding somewhere so that people can't give him a "thumbs down."  I suppose this article on the topic is the closest related place where victims can vent their displeasure.

I look forward to the day when I can add a link here to a news item about the capture, arrest and sentencing of this particular individual.  &: )   

With thanks and best regards,

Mick

+2
Login to vote
Matheus Vasconcelos's picture

Great Article!! I Get a case a few mounths ago with this vulnerability!

+1
Login to vote
Sathish_R's picture

Absolutely 'AWESOME' stuff. This is just great information, at the right time. Thank YOU.

+2
Login to vote
gretar's picture

This is a great article.

+1
Login to vote
Mick2009's picture

Readers of this article may be interested in the series' third installment.....

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

With thanks and best regards,

Mick

+1
Login to vote
Mick2009's picture

Also see this new post from Security Response:

Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign
 

With thanks and best regards,

Mick

+1
Login to vote
Mick2009's picture

Another excellent resource on this topic:

Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

Just adding a cross-reference for a new variant:

Trojan.Cryptolocker.B
http://www.symantec.com/security_response/writeup.jsp?docid=2013-122312-5826-99
 

Current SEP definitions (after December 23, 2013) provide protection against this copycat threat.

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fourth in this series has just been posted- it is a long one, but definitely worthwhile.

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

The fifth article in this series is now available.  An illustrated guide to the tools and techniques necessary to defeat W32.Downadup can be found in the new Connect article:

Killing Conficker: How to Eradicate W32.Downadup for Good
https://www-secure.symantec.com/connect/articles/killing-conficker-how-eradicate-w32downadup-good

With thanks and best regards,

Mick

0
Login to vote
JUSTICE's picture

@Mick,

Absolutely outstanding. Your articles are spot on advice and recommendation. BRAVO ZULU!!!!!

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

+1
Login to vote
Ashish-Sharma's picture

Awesome article Mick2009 yes

Thanks In Advance

Ashish Sharma

 

 

0
Login to vote
polu9495's picture

If I delete those infected files, can I escape from them??? will it infect other files in future??

0
Login to vote
Mick2009's picture

Hi polu9495,

Delete the sabotaged files manually (they are harmless and useless), but check your SEP logs to ensure that the .exe which did the damage in your network has been found and eliminated.

Hope this helps!

Mick

With thanks and best regards,

Mick

+1
Login to vote
Mick2009's picture

Some good news.... &: )

International Takedown Wounds Gameover Zeus Cybercrime Network

https://www-secure.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

 

With thanks and best regards,

Mick

0
Login to vote