Sunday, January 4, 2015

Decrypt your files damaged by CTB Locker Virus.

Issue: Decrypt your files damaged by CTB Locker Virus.

Background: As discussed in the last post of SharePoint Server 2013 client machine is infected with CTB locker virus, today I did more research on the finding a way to recover your file which were decrypted by CTB locker Virus.

Analysis by Symantec Connect- Security:

Decryption without the key from your attackers is not feasible, but that does not mean that a Trojan.CryptoLocker threat must seriously disrupt your business.  A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage, then simply delete all the encrypted files and restore them from their last known-good backup.  

With some variants of Trojan.Cryptolocker, it is possible to use Windows Powershell to generate a list of files that have been encrypted by ransomlock.  You can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding Unicode

Note that more recent variants seem to have changed their code to prevent the generation of such a list.  It will be necessary to identify the corrupted files manually. 

Microsoft Built-In Tools: Windows Backup 

Windows comes with a built-in backup and restore utility.  Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage.  Microsoft have released a video on how to use the built-in backup and restore tool to back up your important files.  Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life.  Definitely recommended!

This Windows Backup tool also has the ability to create a system image- this is an exact image of the entire drive: system settings, programs, files, everything.  If this system image is restored, it will not only replace all the corrupted files that Trojan.CryptoLocker has damaged- it will overwrite everything!  Use system image restoration with caution.

Use a Previous Version
An alternative, if it is a technology in use in your organization, is to restore from a Previous Version.  Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:

If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.

As an example: let's say that Trojan.CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish.  From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.

One the File Server: Volume Shadow Copies

If Trojan.CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them.  If Volume Shadow Copies are enabled on the server, recovery should be easy.  More details and a mention of gourmet snacks can be found in this Technet article:

Rapid Recovery with the Volume Shadow Copy Service
My resolution:

Please try with this site to decrypt your files that has been encryped by ransomware

This are the top ransomewares that has been reported.any one of this may be infected your system
How to remove the ransomware depends on what type it is.

If your web browser is locked

You can try to unlock your browser by using Task Manager to stop the web browser's process:
1.    Open Task Manager. There are a number of ways you can do this:
o    Right-click on an empty space on the taskbar and click Task Manager orStart Task Manager.
o    Press Ctrl+Shift+Esc.
o    Press Ctrl+Alt+Delete.
2.    In the list of Applications or Processes, click on the name of your web browser.
3.    Click End task. If you are asked if you want to wait for the program to respond, click Close the program.
4.    In some workplaces, access to Task Manager may be restricted by your network administrator. Contact your IT department for help.
When you open your web browser again, you may be asked to restore your session. Do not restore your session or you may end up loading the ransomware again.

How to remove rasnomewar :

Mcafee provides a tool called stinger to remove ransomewares,malwares,trojans,etc

Run this tool it will remove the ransomewares.

Only few tools can remove ransomewares fully some of them i have mentioned
Microsoftsecurity essentials
Windows defender

The first Three are Microsoft products and can completely remove. Windows defender will be present in all Microsoft operating system by default .it will be turned off.

Please share your experience in the comments below.

Applies to: SharePoint Server 2013 and Windows 8.1.

Post a Comment


snow flakes

blogger widgets Blogspot Tutorial


Related Posts Plugin for WordPress, Blogger...