Re: [NTSysADM] Security question from a non-security person

[Susan Bradley]

Certain vintages of Cryptolocker actually has a means to get the files 
back without paying.
https://www.decryptcryptolocker.com/
Try that.

Cryptowall /not so lucky.

Crypto wall and locker both prove a really really hard lesson - have a 
backup.

The shadowcopy trick is something the attackers realized they left 
behind and later variants started nuking the shadow copies.

Susan Bradley
http://blogs.msmvps.com/bradley
http://www.runasradio.com/default.aspx?showNum=390

On 11/1/2014 9:50 PM, Jon Harris wrote:
I just confirmed all shadow copies were deleted from when the 
infection started.  Thanks at least I have another trick in case I 
have this happen again.

Jon

------------------------------------------------------------------------
From: jk.har...@live.com
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Security question from a non-security person
Date: Sat, 1 Nov 2014 23:31:25 -0500

There is a hidden, and I mean well hidden, My Documents folder in the 
root and then there is the available Users folder.  It sounds like the 
same one.  I have only been able to see the My Documents folder using 
a Linux distro and that is where previously I was able to pull copies 
for the user (not my wife).  I only found it then because I was doing 
a scan using the Linux distro to look for bugs.  The user did not have 
any copies of some of the software on the system so a rebuild was not 
possible.

Jon

------------------------------------------------------------------------
From: mtop...@capstoneitinc.com
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Security question from a non-security person
Date: Sun, 2 Nov 2014 03:23:00 +0000

Out of curiosity, what is the path you’re referring to as a second 
profile?

The only thing I can think of that looks anything like a second copy 
is the “Documents and Settings” junction point on Windows Vista+

Matthew Topper

*From:*listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Jon Harris
*Sent:* Sunday, November 02, 2014 12:15 AM
*To:* ntsysadm@lists.myitforum.com
*Subject:* RE: [NTSysADM] Security question from a non-security person

Windows 7 Pro x64, no domain, and I don't think the shadow copies are 
on.  I looked but did not see a restore from shadow copy available.  I 
will look again.

Jon

------------------------------------------------------------------------

From: mtop...@capstoneitinc.com <mailto:mtop...@capstoneitinc.com>
To: ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] Security question from a non-security person
Date: Sun, 2 Nov 2014 03:04:49 +0000

The only method anyone has had success with aside from paying the 
ransom or restoring from backup is pulling the data from a shadow copy.

Shadow Explorer seems to work well for browsing them, though newer 
instances of the crypto viruses are clearing restore points as part of 
infection.

Matthew Topper

*From:*listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Jon Harris
*Sent:* Sunday, November 02, 2014 12:01 AM
*To:* ntsysadm@lists.myitforum.com <mailto:ntsysadm@lists.myitforum.com>
*Subject:* [NTSysADM] Security question from a non-security person

I am really hoping someone has an idea of how to go about this.  
Before I start let me say I have only gotten started on this but it is 
outside my normal area of expertise so I will be looking on the web.

Issue

Wife (yes my wife) ignored me about doing backups, not blocking 
updates, and being more careful about her browsing habits.  She 
managed to get bit by a crypto virus which I can get the name of if 
necessary.  All of her files have been encrypted including a 5.3 GB 
PST.  Her email is Gmail and I set her up to use POP, more than that 
is just too hard for her.  She is not dumb by any stretch just very 
stubborn, and in some computer areas extremely smart.  Security is 
just not one of those areas.  While I know enough to be able to do 
some simple security work I don't pretend to be a Security person.  
Anyway I have removed the bugs, all were specific to her profile only 
(thank God she is only a user).  I have used a Linux distro to archive 
the two copies of her profile, you do know there are two copies 
right?  Well anyway on a previous virus infection I got luck (to bad 
not this time) and only one of the copies was damaged.  I am still 
doing some clean-up but at the moment it appears both copies were 
encrypted.  Normally I would just tell the user, so sorry/to bad and 
blow the machine away and start over.  That will not be possible as 
this is my wife and for those with a SO and like to keep peace in the 
house you would know that is not happening unless there is no other way.

Question

Has anyone found a way OTHER than paying these creeps off to get these 
files de-encrypted?  Like I said I am still in the cleanup and getting 
the machine ready for use again and have not yet done any web 
searches.  Oh and paying them off is not even is the room with the table!

Side note

Why is it the IT person is the one blamed when a user ignores what we 
tell them and gets bit by a bug?

Thanks for any ideas or suggestions,

Jon