Hi,

I've a user using running on windows 7 and using SEP 12.1 with the updated definition. The pc was having problem since this morning where all the local document(xls,xlsx,doc,docs,powerpoint,pdf and etc) were encrypted without noticed. When tried to open these files, it shown error and the content changed to encrypted coding.

Is this infected by 'Trojan.ransomcrypt.f ' or 'CryptoDefense' ? I did run a full scan but SEP detected none of it.

My files are now all unaccessbible due to encrypted. Any advise to decrypt and recover my files ?

Appreciate assistance from anyone here.

Thank you.

regards,

Wong

This is cryptolocker you need to restore from a good known backup otherwise the files are lost.

Do you have the IPS and firewall enabled as well?

Support Perspective: CTB-Locker and other forms of Crypto malware

https://www-secure.symantec.com/connect/blogs/supp...

Recovering Ransomlocked Files Using Built-In Windows Tools

https://www-secure.symantec.com/connect/articles/r...

Ransomcrypt: A Thriving Menace (aka Cryptolocker: A Thriving Menace)

https://www-secure.symantec.com/connect/blogs/rans...

Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryp...

No way to recover your files, whats the definition date on your machine?

did you update your machine with latest defs and run a full scan in safe mode?

You can run the threat analysis to clean the virus. For the data recovery you can contact with your backup team t restore it

About the Threat Analysis Scan

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

https://www-secure.symantec.com/connect/forums/cryptolocker-are-we-safe

Article

https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

Hi,

Crypto-type malware is particularly nasty to deal with because it encrypts files. While an infected file has had code added to it which antivirus can remove, an encrypted file isn’t repairable without the unique encryption key that was used. The criminals using crypto-type malware intend to sell you the unique key, giving you access to your files for a price. For this reason, crypto-type malware is also frequently called Ransomware.

The key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Preventive Measures

• Do not follow unsolicited web links in email messages or submit any information to webpages in links.
• Use caution when opening email attachments.
• Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
• Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack.
•  

Request you to check these blogs to get detailed info: https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-...">https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware">https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-...

https://www-secure.symantec.com/connect/forums/there-fixtool-recover-files-encrypted-ransomware">https://www-secure.symantec.com/connect/forums/there-fixtool-recover-files-encrypted-ransomware">https://www-secure.symantec.com/connect/forums/there-fixtool-recover-files-encrypted-ransomware

Check ths Spicework blog as well: http://community.spiceworks.com/topic/774064-symantec-ctb-locker-attack

Hi Wong,

The above advice is accurate.

Please do locate the file which cased the damage and submit it to Security Response for analysis.  It will most likely be a .scr or .exe in %TEMP%.  If you have opened any suspicious mail attachments lately, please submit that file.  This will not help you recover your files, but it will prevent future admins from suffering the same grief.

Symantec Insider Tip: Successful Submissions!

https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Many thanks,

Mick

Hi Chetan/Mick,

But why the SEP 12.1 unable to detect this malware from desktop level ? Did full scan and updated with latest definition.

Please advise.

regards,

Wong

Because there was no signature available for it.

Are you also using IPS, firewall, SONAR, and Download Insight? These are needed as well to help stop the threat.

Hi Brian,

No, I didnt enable all features.. You mean with antivirus and antispyware engines along won't be able to detect this ?

What about for anothe small site office uing SEPM 11.0.5002 ?

Thank you.

regards,

Wong

Antivirus is reactive and will not adequately protect endpoints. If there is no signature available, like in your case, it's over.

IPS and firewall will block the communication so that the malware cannot reach back out to grab a private key, which starts the encryption process. WIthout it, it cannot encrypt.

SONAR uses behavioral analysis to detect it and Download Insight will stop downloads that have a bad reputation.

Also, SEP 11.x is end of support life so you need to move to 12.1 as soon as possible to reap the benefits of the newer features.

AV alone is not enough to stop this threat.

Hi Wong,

SONAR (PTP) can be very helpful against some variants of this threat.  It is essential to have PTP and IPS instlled and enabled as well as AV.  Give yourself every line of defense that you can.

Also: if your organization has been hit by this threat once, it is very likely to be targetted again.  Upgrade your defenses now and educate end users not to open any suspicious attachments.

Definiteions must be updated on all endpoints as soon as possible.  Using definitions that are a couple days old leaves your organization wide open to many, many known malicious files.

No new content is being released for SEP 11, and has not been for nore than a month.  There are literally millions of known malware threats in the wild that SEP 12.1 protects against which are not included in the final updates for SEP 11.  Upgrade away from that old unsupported version immediately to protect that small site office!

Hope this helps,

Mick

Hi again,

Just wondering if there were any additional questions?  This thread is still marked "needs solution."

With thanks and best regards,

Mick