Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Forensics Method Quickly Identifies CryptoLocker Encrypted Files

30 Nov 2013   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Forensics Method Quickly Identifies CryptoLocker Encrypted Files

Quote:
If CryptoLocker is teaching enterprise IT and security people anything, itís that backup is king.

The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts donít advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.

However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.
Source

A Guy


My System SpecsSystem Spec
.

30 Nov 2013   #2

Windows 7 Professional X64
 
 

Quote:
backup is king
Yup - got hit with Fbimoneypack - locked comp.

Did a restore from Trueimage backup and was up an running in 10 minutes.
My System SpecsSystem Spec
30 Nov 2013   #3

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

Quote from the link referenced:

Quote:
The laptop was pulled from the network, wiped and analyzed. Thatís when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged.
As standard forensic procedure, the disk is imaged and in this case, it was wiped. The analyst has started to work on the image and then moved to the server. This also means that all the encrypted data on the laptop drive had been lost. The chances are that the user of this laptop has lost locally stored data that had no backup, some of that might even be critical to the enterprise. While all enterprises have policies to save everything on the network, you wanna bet that the end user of the laptop had important/critical company data that had been lost?

While everyone is advising not to pay the ransom, from the ROI perspective, it makes no sense. For about $600, both the local and network files could've been decrypted, the local file saved on the network, and then laptop re-imaged. The forensic expert does not analyze systems for cheap, if he/she hired as a third-party, in this case the cost could've been $5-10K for the company. Then there's the restoring from backup that does not include locally stored files, and can be time consuming even if it is done by internal people. No wonder why the policy department decided to shell out the 600 bucks...

CryptoLocker isn't like an FBImoneypack and alike that can be removed and/or restored from the disk image backup in 5-10 minutes. It hits where it hurts the most, encrypts your data...
My System SpecsSystem Spec
.


01 Dec 2013   #4

Windows 7 Pro. 64/SP-1
 
 

My understanding is that all this mess can start from someone opening a email they shouldn't open.
Until their is a method of stopping this from happening I don't know of a cure.
My System SpecsSystem Spec
01 Dec 2013   #5

Windows 7 Home Premium x64
 
 

Quote   Quote: Originally Posted by Cr00zng View Post
Quote from the link referenced:

Quote:
The laptop was pulled from the network, wiped and analyzed. Thatís when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged.
As standard forensic procedure, the disk is imaged and in this case, it was wiped. The analyst has started to work on the image and then moved to the server. This also means that all the encrypted data on the laptop drive had been lost. The chances are that the user of this laptop has lost locally stored data that had no backup, some of that might even be critical to the enterprise. While all enterprises have policies to save everything on the network, you wanna bet that the end user of the laptop had important/critical company data that had been lost?

While everyone is advising not to pay the ransom, from the ROI perspective, it makes no sense. For about $600, both the local and network files could've been decrypted, the local file saved on the network, and then laptop re-imaged. The forensic expert does not analyze systems for cheap, if he/she hired as a third-party, in this case the cost could've been $5-10K for the company. Then there's the restoring from backup that does not include locally stored files, and can be time consuming even if it is done by internal people. No wonder why the policy department decided to shell out the 600 bucks...

CryptoLocker isn't like an FBImoneypack and alike that can be removed and/or restored from the disk image backup in 5-10 minutes. It hits where it hurts the most, encrypts your data...
They're advised not to pay the ransom because there is a 0% guarantee that these criminals will actually unlock your files. They're already breaking the law, you can't exactly take them to court for breach of contract if they don't deliver.
My System SpecsSystem Spec
01 Dec 2013   #6

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Quote   Quote: Originally Posted by Diosoth View Post

They're advised not to pay the ransom because there is a 0% guarantee that these criminals will actually unlock your files. They're already breaking the law, you can't exactly take them to court for breach of contract if they don't deliver.
As far as I know, so far they have been giving the key to unlock. It would be in their interest to do so. As soon as it becomes known they do not, then people will not pay. Of course, the majority of people don't know this exists and will just see they are locked and decide to pay or not.

A Guy
My System SpecsSystem Spec
01 Dec 2013   #7

Windows 7 Ultimate SP1 (64 bit), Windows XP SP3, Linux Mint 17 MATE (64 bit)
 
 
Agreed

Quote   Quote: Originally Posted by A Guy View Post
Quote   Quote: Originally Posted by Diosoth View Post
They're advised not to pay the ransom because there is a 0% guarantee that these criminals will actually unlock your files. They're already breaking the law, you can't exactly take them to court for breach of contract if they don't deliver.
As far as I know, so far they have been giving the key to unlock. It would be in their interest to do so. As soon as it becomes known they do not, then people will not pay. Of course, the majority of people don't know this exists and will just see they are locked and decide to pay or not.
Unfortunately these criminals are more likely to do the "right thing", than "legitimate" Corporations are.

The Corporations have armies of lawyers, judges and politicians to protect them from reprisals.
My System SpecsSystem Spec
02 Dec 2013   #8

W7 Pro SP1 64bit
 
 

If Wayne Collier's comment on the article is correct, then none of the $forensics$ was needed:
Quote:
The laptops we analyzed which were infected with Cryptolocker had a registry key under HKCU\Software\Cryptolocker with all the files it had encrypted. This listing also included the network shares that were encrypted, as well as, the local files.
Those were the only files that needed to be restored from the server's backup. It should not take very long to export that list and script the recovery.

As far as local files lost...
I have seen several backup solutions at the companies that I support or just know about. None of the solutions were backing up all of the local files that the end user thought important. So, backup schemes are only as good as those administrating them.

I found this confusing:
Quote:
ďI think thatís what weíre seeing. The only date that wonít change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and thatís what Iím seeing and thatís what I used to find these files.Ē
My System SpecsSystem Spec
Reply

 Forensics Method Quickly Identifies CryptoLocker Encrypted Files




Thread Tools



Similar help and support threads for2: Forensics Method Quickly Identifies CryptoLocker Encrypted Files
Thread Forum
Quickly delete thousands of large files Performance & Maintenance
Solved Ransomware encrypted my files. All files have .html extension System Security
Criminal Forensics General Discussion
Encrypted files System Security
Cannot access encrypted files even though I never encrypted them Music, Pictures & Video

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:58 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33