Endpoint Protection

Hi

Does our SEP detect the malicious tool cryptolocker?

www.bleepingcomputer.com/forums/t/507240/crypto-locker-malware-removed-files-still-encrypted/

Hello,

Yes. Symantec detects CryptoLocker.

Cryptolocker is referenced by Symantec as : Trojan.Ransomcrypt.F

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=2

Secondly, check this Thread: 

https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies

Yes it detects it

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=2

Manual removal is here in case

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=3

Thank you symantec.

One extra note: make sure that you are protecting your clients with the optional IPS component!  In addition to the AV signatures, there is a IPS signature that blocks this threat's traffic.

 

SIG ID 27046 "System Infected: Trojan.Ransomcrypt.F"

Noted. Thank you.

Followers of this thred may be interested in this new blog post from security Response:

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

and also these resources:

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

Is there a way to do a scheduled report for this type of detection should this appear on the network?

Had an encounter with Cryptolocker on a notebook running Win7.  .docx and .xlsx files that were critical to the client were compromised.  Once the virus was removed, attempted to restore corrupt files.  As most have reported, this it impossible.  Got to thinking that maybe some of the files had been previously deleted and might be restored and retrieved.  Ran RECUVA and found thousands for deleted files.  Some had been overwritten and were not retrievable.  Others, with .docx and .xlsx, were fully retrievable.  They did not have names, just numbers - many of which were in sequence.  Once they were restored, it became obvious that the very files that were critical had been deleted after being named with a number followed by the same extension as the original files.  I am not an expert, but I have more than 30 years of experience in the field, and started hunting and killing virus infections before any software to do so was available.  This might be something worth checking on other systems that have been infected by Cryptolocker.  Maybe some genius out there can come up with a utility to undelete these files after killing the virus, and connect them with their original names.  Hope this is helpful someone.

Many thanks, Geoconsult! "Thumbs up" from me.

This new article may be of interest to followers of this thread:

 

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

I am concerned about the files that are encrypted; if I run a scan and symantec AV removes the mailcious files, will I have access to the files that are encrypted?  Should I do this in safe mode?  TIA!

If the files are already encrypted the damage has been done and likely not recoverable, regardless of what mode you do it in.