Video Screencast Help

Cryptolocker, are we safe?

Created: 15 Oct 2013 • Updated: 15 Oct 2013 | 11 comments
This issue has been solved. See solution.
Operating Systems:

Comments 11 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Yes. Symantec detects CryptoLocker.

Cryptolocker is referenced by Symantec as : Trojan.Ransomcrypt.F

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=2

Secondly, check this Thread: 

https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies

Hope that helps!!
 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
CoachR's picture

I am concerned about the files that are encrypted; if I run a scan and symantec AV removes the mailcious files, will I have access to the files that are encrypted?  Should I do this in safe mode?  TIA!

.Brian's picture

If the files are already encrypted the damage has been done and likely not recoverable, regardless of what mode you do it in.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Yes it detects it

http://www.symantec.com/security_response/writeup....

Manual removal is here in case

http://www.symantec.com/security_response/writeup....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

One extra note: make sure that you are protecting your clients with the optional IPS component!  In addition to the AV signatures, there is a IPS signature that blocks this threat's traffic.

 

SIG ID 27046 "System Infected: Trojan.Ransomcrypt.F"

With thanks and best regards,

Mick

Mick2009's picture

Followers of this thred may be interested in this new blog post from security Response:

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

and also these resources:

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

With thanks and best regards,

Mick

ThaveshinP's picture

Is there a way to do a scheduled report for this type of detection should this appear on the network?

geoconsult's picture

Had an encounter with Cryptolocker on a notebook running Win7.  .docx and .xlsx files that were critical to the client were compromised.  Once the virus was removed, attempted to restore corrupt files.  As most have reported, this it impossible.  Got to thinking that maybe some of the files had been previously deleted and might be restored and retrieved.  Ran RECUVA and found thousands for deleted files.  Some had been overwritten and were not retrievable.  Others, with .docx and .xlsx, were fully retrievable.  They did not have names, just numbers - many of which were in sequence.  Once they were restored, it became obvious that the very files that were critical had been deleted after being named with a number followed by the same extension as the original files.  I am not an expert, but I have more than 30 years of experience in the field, and started hunting and killing virus infections before any software to do so was available.  This might be something worth checking on other systems that have been infected by Cryptolocker.  Maybe some genius out there can come up with a utility to undelete these files after killing the virus, and connect them with their original names.  Hope this is helpful someone.

Mick2009's picture

Many thanks, Geoconsult! "Thumbs up" from me.

This new article may be of interest to followers of this thread:

 

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

With thanks and best regards,

Mick