Issue:
Decrypt your files damaged by CTB Locker Virus.
Background:
As discussed in the last post of SharePoint
Server 2013 client machine is infected with CTB locker virus, today I did
more research on the finding a way to recover your file which were decrypted by
CTB locker Virus.
Analysis by Symantec Connect- Security:
Decryption without the key
from your attackers is not feasible, but that does not mean
that a Trojan.CryptoLocker threat must seriously disrupt your
business. A scan with new AntiVirus definitions will be able to detect and remove
the executable file and prevent any further damage, then
simply delete all the encrypted files and
restore them from their last known-good backup.
With some variants of
Trojan.Cryptolocker, it is possible to use Windows Powershell to generate a
list of files that have been encrypted by ransomlock. You can dump the
list of files in the CryptoLocker registry key using the following command:
(Get-Item
HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\")
| Out-File CryptoLockerFiles.txt -Encoding Unicode
Note that more recent
variants seem to have changed their code to prevent the generation of such
a list. It will be necessary to identify the corrupted files
manually.
Microsoft Built-In Tools:
Windows Backup
Windows comes with a
built-in backup and restore utility. Windows Backup is a freebie that
can restore encrypted files (or
files otherwise damaged by any threat), providing that you have made a backup
of them prior to the damage. Microsoft have released a video on how to
use the built-in backup and restore tool to back up your important files.
Watching this simple how-to will enable you to schedule a known-good backup of
your selected data, and will only cost a minute of your life. Definitely
recommended!
Back up your files
http://windows.microsoft.com/en-ie/windows7/back-up-your-files
http://windows.microsoft.com/en-ie/windows7/back-up-your-files
This Windows Backup tool
also has the ability to create a system image- this is an exact image
of the entire drive: system settings, programs, files,
everything. If this system image is restored, it will not only replace
all the corrupted files that Trojan.CryptoLocker has damaged- it will overwrite
everything! Use system
image restoration with caution.
Use a Previous Version
An alternative, if it is
a technology in use in your organization, is to restore
from a Previous Version. Previous versions are copies of
files and folders that Windows automatically saved as part of system
protection. This feature is fantastic at rescuing files that were
damaged by malware. Here's another Microsoft article with all the details:
Previous versions of files: frequently asked
questions
http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions
http://windows.microsoft.com/en-ie/windows7/previous-versions-of-files-frequently-asked-questions
If system protection is
enabled, Windows automatically creates previous versions of files and folders
that have been modified since the last restore point was made.
As an example: let's say
that Trojan.CryptoLocker has turned the important MS Word document
"Network and Telco.doc" into gibberish. From
Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week
(before the damage was done) and click Restore.
One the File Server:
Volume Shadow Copies
If Trojan.CryptoLocker
has damaged files that reside in a mapped directory on a corporate file server,
there's a slightly different method for restoring them. If Volume
Shadow Copies are
enabled on the server, recovery should be easy. More details and a
mention of gourmet snacks can be found in this Technet article:
Rapid Recovery
with the Volume Shadow Copy Service
http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx
http://technet.microsoft.com/en-ie/magazine/2006.01.rapidrecovery(en-us).aspx
My resolution:
Please try with this site to decrypt your files that has been
encryped by ransomware http://ecryptcryptolocker.com
This are the top
ransomewares that has been reported.any one of this may be infected your system
- Ransom:JS/Krypterade.A
- Ransom:Win32/Nymaim.F
- Ransom:Win32/Reveton!lnk
- Ransom:Win32/Crowti
- Ransom:Win32/Critroni
- Ransom:Win32/Reveton
- Ransom:Win32/Reveton.V
- Ransom:Win32/Urausy.E
- Ransom:Win32/Critroni.A
- Ransom:Win32/Crowti.A
How to remove the ransomware depends on what type it is.
If your web
browser is locked
You can try to unlock your browser by using Task Manager to stop
the web browser's process:
1. Open Task Manager. There
are a number of ways you can do this:
o
Right-click on an empty space on the
taskbar and click Task Manager orStart Task Manager.
o
Press Ctrl+Shift+Esc.
o
Press Ctrl+Alt+Delete.
2. In the list of Applications or Processes, click on
the name of your web browser.
3. Click End
task. If you are asked if you want to wait for the program to
respond, click Close the program.
4. In some workplaces,
access to Task Manager may be restricted by your network administrator. Contact
your IT department for help.
When you open your web browser again, you may be asked to restore
your session. Do not restore your session or you may end up loading the
ransomware again.
How to remove rasnomewar :
Mcafee provides a tool called stinger to
remove ransomewares,malwares,trojans,etc
Run this tool it will remove the
ransomewares.
Only few tools can remove ransomewares fully
some of them i have mentioned
Microsoftsecurity essentials
Windows defender
Malwarebytes
McafeeStinger
The first Three are Microsoft products and can
completely remove. Windows defender will be present in all Microsoft operating
system by default .it will be turned off.
Please share your experience
in the comments below.
Applies to: SharePoint Server 2013 and Windows 8.1.
No comments:
Post a Comment