Dealing With CryptoLocker

Cryptolocker (and its variants) suck! The virus typically strikes one persons machine, and once infected, that PC will crawl local drives, mapped drive, folder after folder, file after file, encrypting them with a 256 bit, thus taking your data hostage.

The best methods of protection I’ve found are:

  • Don’t open or run any email attachments that come from someone you do not know, or appear suspicious. ie. you will never receive an email from Fedex or UPS that has a .ZIP file attachment with information about your shipment! Don’t open it, don’t touch it, delete it!
  • Make sure your servers have a working and tested backup solution in place. Make sure this backup solution is setup to send alerts on failures should a backup problem arise! Nothing worse than the backup software experiencing a failure, and you’re not alerted to it until you look at it during an emergency.
  • Make sure Shadow Copies are enabled on your critical server data volumes. You can right click on the data drive letter, select Properties, Previous Versions to turn on various snapshots to be taken throughout the day. I recommend one at 6am and another at 12pm. Usually those aren’t super huge usage times.

Isolating the virus:

  • You will likely hear about this from a user who calls saying they can’t open their Word or Excel documents, or that they look scrambled. This is due to the virus having encrypted those files.
  • First thing to do is log into the server, and change all of it’s shares to ‘Read Permission’ only under sharing permissions.
  • The virus typically leaves 3 files behind in every directory that it has crawled, HELP_DECRYPT.TXT, .JPG and .HTML. Look at the properties of these files to try and determine the ‘Owner’. Depending on the variant, the ‘Owner’ alot of the time is the source of the infection.
  • The source infected machine should be the only one who has encrypted files on its own C:\. The desktop, local My Documents, or contents on the C:\ are the best sign. If you can find this PC, disconnect it from the network immediately.

Options for recovery:

  • Depending on how quickly you’ve caught the virus determines how many folders you’re going to need to restore. Many times, using ShadowCopies to restore folders to an earlier point in time is better, more convenient and a less dataloss option than going to last night’s backup.
  • Should the server be the source of the infection, you will likely be doing a full, bare-metal restore of the entire server back to the previous full backup.
  • Once files are rolled back, you will need to clean up the remaining HELP_DECRYPT.xxx files. The easiest way to do this is to:
    • Open Admin CMD Prompt
    • Navigate to the root drive affected: cd c:\
    • Issue the delete command for all files with that title: DEL /S HELP_DECRYPT.*
    • Let it crawl the directories and remove all instances found