Endpoint Protection

Hello all community , One of our client’s computer is Infected with Trojan.Cryptolocker.E!” It has renamed all the files extension to its own fake extension “.ogmpekn” and encrypted those files which we couldn’t decrypt to get access. I have reviewed number of blogs but unable to find out to how to decrypt those files. any way I can decrypt these files

Note: Symantec Antivirus Version 12.1.4  has deleted particular Trojan from the system as well as from registry since newly created files are working perfectly. References files are attached.

Secondly Kindly share with me the prevention measures that I can use to be save from this cryptolocker attacks. On endpoints all SEP features are enabled. Kindly review the attachments filrs for more reference.

Best Regards,

 

You need to restore from a good backup otherwise the files are gone. Do you have IPS and firewall enabled? Did you determine how it got in?

You can't recover your file.

See below blog

Support Perspective: CTB-Locker and other forms of Crypto malware

https://www-secure.symantec.com/connect/blogs/supp...

Some of mick2009 good articles

Recovering Ransomlocked Files Using Built-In Windows Tools

https://www-secure.symantec.com/connect/articles/r...
-
Ransomcrypt: A Thriving Menace (aka Cryptolocker: A Thriving Menace)

https://www-secure.symantec.com/connect/blogs/rans...
-
Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryp...

see same problem thread

https://www-secure.symantec.com/connect/forums/all-my-files-were-encrypted

Files cannot be recovered, unfortunately :(

Crypto-type malware is particularly nasty to deal with because it encrypts files. While an infected file has had code added to it which antivirus can remove, an encrypted file isn’t repairable without the unique encryption key that was used. The criminals using crypto-type malware intend to sell you the unique key, giving you access to your files for a price. For this reason, crypto-type malware is also frequently called Ransomware.

The key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Check this similar therad: https://www-secure.symantec.com/connect/forums/all-my-files-were-encrypted#comment-10864631

Also could you share how you decrypted files.

 

Hello Brian yes we have IPS and firewall enabled

Any prevention measures that I need to take or adopt to be safe from this in the future or on other machines ? 

Regards

Chetan we weren't able to decrypt them as this process is irreverisble. Altough Symantec Antivirus Version 12.1.4  has deleted particular Trojan from the system as well as from registry since newly created files are working perfectly. But why didn't it detect it and removed it before the damage was done ?

Regards

Probably because there was no signature available at the time it got on the system. Did you determine how it got in? Usually personal email is one of the ways.

Obviously both IPS and fw need to be enabled.

Do you have SONAR turned on and set to aggressive mode? Is download Insight on tuned to a higher sensitivity?

Brian DI is enabled and set to level 5 so as SONAR. Actually I am trying to identify as how it got in as they have Symantec Messaging Gateway (SMG) Antispam and malware filter running at gateway and also Fireeye running, 

Is SONAR set to aggressive? May want to move up DI to 6, test first though.

If you can find out how it got in that will be key. Lately I've seen via personal email...

I believe Mike can prescribe it in better way. Let's wait for him to jump in. :)

Brian SONAR is set to default , earlier it was set to agressive but we observed some false positives so reverted back to the default level.  Yeah I am trying to figure it out how it got in as we have also deployed Symantec protection at gateways

Yes Chetan lets wait for Micks response. Regards

You can always set exceptions for those FPs

with endpoints over 3000 its a bit hectic to set exclusions 

Any more infomation or update on this ?

What else are you looking for?

Hi Outrageous,

Thanks for the post- the advice above is accurate.  This is a very large malicious spam campaign that has affected many thousands of computers/organizations around the world. Each day a large number of new malicious samples are released into the wild.

any way I can decrypt these files

They must be restored from a known good backup.  Ther's no tool or technique which can repair them.  Here's a dedicated forum post on the subject: Is there a Fixtool to Recover Files Encrypted by Ransomware?

Some advice:

• Apply the ADC policy described in https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware
• Ensure mail security definitions are updated several times per day.  By default, SMG updated its definitions once per day.  Run Rapid Release definitions on it as well to stay up-to-date!
• Use all SEP components, especially SONAR.
• Check that all important data is being backed up regularly.
• Password-protect network shares to stop threats from automatically sabotaging materials on file servers.
• Educate end users not to open and click unexpected attachments.
• Expect to receive more malicious mails again.  If your company's email addresses were used once, they will very likely be used again by the spammers behind this campaign.

Hope this helps!

With thanks and best regards,

Mick

thanks everyone for your valuable and helpful replies, really appreciate them . Regards

Is there any update?

OR

If issue has been resolved could you mark this thread as a solved with the best answer that helps you :)

Chetan for that one endpoint we didn't have the backup of files so the data for that user has gone :(