CTB Locker (Cryptolocker copycat)

**Seth1968** · 06-15-2015, 09:02 AM

Have any other techs or IT's been seeing a lot of this ransom ware lately?

I've known about Cryptolocker and its variants since their inception, but have never actually come across it. Yet, I'm now on my fourth one in the last couple of weeks.

BTW-System Restore is the quickest and easiest way to remove the infection, but the files will still remain encrypted.

**The_Penguin** · 06-15-2015, 10:00 AM

We banned .zip attachments at the mail server, and put in a GPO to prevent executables running in the user's temp environment. So far that's prevented any ransomware (fingers crossed).

What's been the delivery method of the ones you're seeing?

**The_Penguin** · 06-15-2015, 10:13 AM

Blocking .zip files at the server has prevented about 4 crypto files inbound as fake resumes, which seems popular lately.

**Seth1968** · 06-15-2015, 10:16 AM

The investigators say the infection is "most likely" transmitted via a zip attachment, but that doesn't seem to be the case in the examples I've seen. All four customers claim they didn't open any attachment.

With further questioning, I discovered that all four had generic infections just prior to the ransomware infection. But, they either ignored the infections temporarily, or tried to remove them on their own (unsuccessfully of course).

So it seems in my cases, the ransomware is a result of the current infections being used as a catalyst to download and install the ransomware infection, or, in the process of trying to remove the generic infections themselves, they just made it worse (as usual).

**Seth1968** · 06-16-2015, 09:53 AM

The fourth that I just cleaned is going back today. There's a lot of pictures and needed docs that are encrypted and not backed up.

I gave her the details of the de-encryption process, and she plans on proceeding with that.

My bet is she is going to lose a few hundred dollars.

**Robin Goodfellow** · 07-10-2015, 08:19 AM

FWIW I got this last night.

Was working on the home computer trying to fix a "weird networking issue". The day consisted of installing and removing various virus scanners, and taking backups in anticipation of a re-install. Computer was under heavy load and acting sluggish, but this wasn't unexpected given my activity.

I have backups up the wazoo, so although I have many hours ahead of me of identifying and restoring corrupted files, this isn't catastrophic.

Files on my desktop, and a thumbdrive were hit. Network shares from my NAS were not.

If I'd had the windows feature "Restore previous versions" of files enables, it would have made the recovery much much easier.

But all told, I think I got off easy. No idea where I got it, or how long its been there.

Also found the same infection on my laptop, but removed it before it did any damage. I think it waits a bit before doing its nasty trick.

Moral of the story: KEEP OFFLINE BACKUPS.

**firebane** · 07-10-2015, 08:22 AM

Originally posted by Robin Goodfellow
FWIW I got this last night.

Was working on the home computer trying to fix a "weird networking issue". The day consisted of installing and removing various virus scanners, and taking backups in anticipation of a re-install. Computer was under heavy load and acting sluggish, but this wasn't unexpected given my activity.

I have backups up the wazoo, so although I have many hours ahead of me of identifying and restoring corrupted files, this isn't catastrophic.

Files on my desktop, and a thumbdrive were hit. Network shares from my NAS were not.

If I'd had the windows feature "Restore previous versions" of files enables, it would have made the recovery much much easier.

But all told, I think I got off easy. No idea where I got it, or how long its been there.

Also found the same infection on my laptop, but removed it before it did any damage. I think it waits a bit before doing its nasty trick.

Moral of the story: KEEP OFFLINE BACKUPS.

Backups are fine but you need to not introduce this into your environment which either you or someone else did.

**BrknFngrs** · 07-10-2015, 09:01 AM

Anyone seen this hit a mac at all? Out of nowhere my mac is running incredibly slow and it seems to be after some crazy hard to close type pop-ups hit when browsing last week. I ran a full scan with Sophos and it came back clean but I'm not convinced something isn't happening in the background.

Do you these things essentially just work in the background encrypting random files and then at some point have all your files encrypted and show you the ransom message?

**Seth1968** · 07-10-2015, 09:21 AM

The Cryptolocker type infections haven't been written for Macs (yet).

Are you still getting the popups? If so, try Adware Medic:

http://www.adwaremedic.com/index.php

If that doesn't help, there's a couple of things we can try.

BTW- The Cryptolocker type infections don't encrypt random files. It encrypts files that are important to the user such as Pictures and Documents. Otherwise, yes, that's basically how it works.

**Xaroxantu Zero** · 08-24-2015, 09:10 AM

So both my home desktop and laptop got infected over the weekend. I'm not sure how, but somebody gained access to my TeamViewer account, transferred the ransomware, and ran it remotely.

Luckily, the majority of my files were backed up to my NAS. I should keep my Windows locked when I'm away. >_>

Thread: CTB Locker (Cryptolocker copycat)

Thread Tools

Search Thread