This has likely been checked, but just wanted to mention it just in case: have
you checked what the POP settings are set to in Gmail? By default, when you
enable POP in Gmail, it sets the option to "keep Gmail's copy in the Inbox"
("mark Gmail's copy as read" would work too here). In this scenario, you
effectively get two instances of your email - one that is POP'd to the Outlook
client, and one that remains in Gmail. So although the Outlook PST may be
encrypted, it's possible that your incoming email may still be in Gmail and
hence you may not have lost everything (Sent Items, Contacts and Calendar may
be lost though depending on how this was set up in Outlook).
-Aakash Shah
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Susan Bradley
Sent: Saturday, November 1, 2014 11:18 PM
To: [email protected]
Subject: Re: [NTSysADM] Security question from a non-security person
Certain vintages of Cryptolocker actually has a means to get the files
back without paying.
https://www.decryptcryptolocker.com/
Try that.
Cryptowall /not so lucky.
Crypto wall and locker both prove a really really hard lesson - have a
backup.
The shadowcopy trick is something the attackers realized they left
behind and later variants started nuking the shadow copies.
Susan Bradley
http://blogs.msmvps.com/bradley
http://www.runasradio.com/default.aspx?showNum=390
On 11/1/2014 9:50 PM, Jon Harris wrote:
> I just confirmed all shadow copies were deleted from when the
> infection started. Thanks at least I have another trick in case I
> have this happen again.
>
> Jon
>
> ------------------------------------------------------------------------
> From: [email protected]
> To: [email protected]
> Subject: RE: [NTSysADM] Security question from a non-security person
> Date: Sat, 1 Nov 2014 23:31:25 -0500
>
> There is a hidden, and I mean well hidden, My Documents folder in the
> root and then there is the available Users folder. It sounds like the
> same one. I have only been able to see the My Documents folder using
> a Linux distro and that is where previously I was able to pull copies
> for the user (not my wife). I only found it then because I was doing
> a scan using the Linux distro to look for bugs. The user did not have
> any copies of some of the software on the system so a rebuild was not
> possible.
>
> Jon
>
> ------------------------------------------------------------------------
> From: [email protected]
> To: [email protected]
> Subject: RE: [NTSysADM] Security question from a non-security person
> Date: Sun, 2 Nov 2014 03:23:00 +0000
>
> Out of curiosity, what is the path you're referring to as a second
> profile?
>
> The only thing I can think of that looks anything like a second copy
> is the "Documents and Settings" junction point on Windows Vista+
>
> Matthew Topper
>
> *From:*[email protected]
> [mailto:[email protected]] *On Behalf Of *Jon Harris
> *Sent:* Sunday, November 02, 2014 12:15 AM
> *To:* [email protected]
> *Subject:* RE: [NTSysADM] Security question from a non-security person
>
> Windows 7 Pro x64, no domain, and I don't think the shadow copies are
> on. I looked but did not see a restore from shadow copy available. I
> will look again.
>
> Jon
>
> ------------------------------------------------------------------------
>
> From: [email protected] <mailto:[email protected]>
> To: [email protected] <mailto:[email protected]>
> Subject: RE: [NTSysADM] Security question from a non-security person
> Date: Sun, 2 Nov 2014 03:04:49 +0000
>
> The only method anyone has had success with aside from paying the
> ransom or restoring from backup is pulling the data from a shadow copy.
>
> Shadow Explorer seems to work well for browsing them, though newer
> instances of the crypto viruses are clearing restore points as part of
> infection.
>
> Matthew Topper
>
> *From:*[email protected]
> <mailto:[email protected]>
> [mailto:[email protected]] *On Behalf Of *Jon Harris
> *Sent:* Sunday, November 02, 2014 12:01 AM
> *To:* [email protected] <mailto:[email protected]>
> *Subject:* [NTSysADM] Security question from a non-security person
>
> I am really hoping someone has an idea of how to go about this.
> Before I start let me say I have only gotten started on this but it is
> outside my normal area of expertise so I will be looking on the web.
>
> Issue
>
> Wife (yes my wife) ignored me about doing backups, not blocking
> updates, and being more careful about her browsing habits. She
> managed to get bit by a crypto virus which I can get the name of if
> necessary. All of her files have been encrypted including a 5.3 GB
> PST. Her email is Gmail and I set her up to use POP, more than that
> is just too hard for her. She is not dumb by any stretch just very
> stubborn, and in some computer areas extremely smart. Security is
> just not one of those areas. While I know enough to be able to do
> some simple security work I don't pretend to be a Security person.
> Anyway I have removed the bugs, all were specific to her profile only
> (thank God she is only a user). I have used a Linux distro to archive
> the two copies of her profile, you do know there are two copies
> right? Well anyway on a previous virus infection I got luck (to bad
> not this time) and only one of the copies was damaged. I am still
> doing some clean-up but at the moment it appears both copies were
> encrypted. Normally I would just tell the user, so sorry/to bad and
> blow the machine away and start over. That will not be possible as
> this is my wife and for those with a SO and like to keep peace in the
> house you would know that is not happening unless there is no other way.
>
> Question
>
> Has anyone found a way OTHER than paying these creeps off to get these
> files de-encrypted? Like I said I am still in the cleanup and getting
> the machine ready for use again and have not yet done any web
> searches. Oh and paying them off is not even is the room with the table!
>
> Side note
>
> Why is it the IT person is the one blamed when a user ignores what we
> tell them and gets bit by a bug?
>
> Thanks for any ideas or suggestions,
>
> Jon
>
