Share via


Malware troubleshooting: recover your files damaged by CTB Locker Virus

 

Issue

Decrypt your files damaged by CTB Locker Virus.

 

Background

As discussed in the last post of SharePoint Server 2013 client machine is infected with CTB locker virus, some research on the finding a way to recover your file which were decrypted by CTB locker Virus.

 

Analysis

Source: Symantec Connect - Security

Decryption without the key from your attackers is not feasible, but that does not mean that a Trojan.CryptoLocker threat must seriously disrupt your business.  A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage, then simply delete all the encrypted files and restore them from their last known-good backup.  

With some variants of Trojan.Cryptolocker, it is possible to use Windows PowerShell to generate a list of files that have been encrypted by ransomlock.  You can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\) | Out-File CryptoLockerFiles.txt -Encoding Unicode

Note that more recent variants seem to have changed their code to prevent the generation of such a list.  It will be necessary to identify the corrupted files manually. 

Resolution

Microsoft Built-In Tools: Windows Backup 

Windows comes with a built-in backup and restore utility.  Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage.  Microsoft have released a video on how to use the built-in backup and restore tool to back up your important files.  Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life.  Definitely recommended!

Back up your files

http://windows.microsoft.com/en-ie/windows7/back-up-your-files

This Windows Backup tool also has the ability to create a system image - this is an exact image of the entire drive: system settings, programs, files, everything.  If this system image is restored, it will not only replace all the corrupted files that Trojan.CryptoLocker has damaged it will overwrite everything!  Use system image restoration with caution.

Use a Previous Version

An alternative, if it is a technology in use in your organization, is to restore from a Previous Version.  Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:

Previous versions of files: frequently asked questions

http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions

If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.

As an example: let's say that Trojan.CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish.  From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.

One the File Server: Volume Shadow Copies

If Trojan.CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them.  If Volume Shadow Copies are enabled on the server, recovery should be easy.  More details and a mention of gourmet snacks can be found in this TechNet article:

Rapid Recovery with the Volume Shadow Copy Service

http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx

Top ransomwares 

This are the top ransomewares that has been reported.

Any one of this may be infected your system

  • Ransom:JS/Krypterade.A
  • Ransom:Win32/Nymaim.F
  • Ransom:Win32/Reveton!lnk
  • Ransom:Win32/Crowti
  • Ransom:Win32/Critroni
  • Ransom:Win32/Reveton
  • Ransom:Win32/Reveton.V
  • Ransom:Win32/Urausy.E
  • Ransom:Win32/Critroni.A
  • Ransom:Win32/Crowti.A

How to remove

How to remove the ransomware depends on what type it is.

If your web browser is locked

  1. You can try to unlock your browser by using Task Manager to stop the web browser's process:
    • Open Task Manager. There are a number of ways you can do this:
    • Right-click on an empty space on the task bar and click Task Manager or Start Task Manager.
    • Press Ctrl+Shift+Esc.
    • Press Ctrl+Alt+Delete.
  2. In the list of Applications or Processes, click on the name of your web browser.
  3. Click End task. If you are asked if you want to wait for the program to respond, click Close the program.
  4. In some workplaces, access to Task Manager may be restricted by your network administrator. Contact your IT department for help.

When you open your web browser again, you may be asked to restore your session. Do not restore your session or you may end up loading the ransomware again.

Tools

Only few tools can remove ransomewares fully some of them i have mentioned

  • Microsoft Security Essentials
  • Windows Defender
  • Malwarebytes
  • McAfee Stinger

McAfee provides a tool called stinger to remove ransomewares, malwares, trojans,etc

Run this tool it will remove the ransomewares.

The first three are Microsoft products and can completely remove it. Windows Defender will be present in all Microsoft operating systems by default. It will be turned off.

References