Cryptolocker Help

[Archaic_Entity]

Hey all,

I imagine we've got some people on these forums that are handy with computers, so I figured I'd shoot this out there:

I'm trying to find someone who has been infected with Cryptolocker and paid the ransom to get their files decrypted from the company. The reason I'm looking for someone who matches this description is that, apparently, there are registry keys left behind after the virus uninstalls itself. What I want is a copy of those remnant registry keys. If anyone here has been infected and/or if anyone here has a copy of those keys. PM me or post it here.

Thanks

 

[perry]

Have you looked around on Bleeping Computer? I know they have a big thread about it. We've had a bunch of computers hit with it but don't pay the ransom. We get things from tape backup on the network drives, and Shadow Explorer to get what we can from the local drives.

 

[Archaic_Entity]

Yeah, I have. No one's posted the keys on there that I've seen. I've been scouring for the last 5 hours.

 

[HeadlessRoland]

.

 

[Indy_Guy_77]

Can you download and run MalwareBytes? CCleaner?

 

[Archaic_Entity]

Well, I don't have a computer infected, so it would be pointless. A coworker and I are considering making a VM to infect, but we don't want to pony up the $300 to pay, and it would be rather difficult to cipher through all the registry keys to find out which are left after uninstall. So I was just hoping for a shortcut. It may come down to doing that, but we'd prefer not to do that.

 

[perry]

I do imagine that the type of person that pays the $300, aside from someone like you that intentionally infects a machine for research, wouldn't know what to look for in the registry. What are you trying to find out?

 

[Archaic_Entity]

No, most likely they wouldn't, but it also stands that if they don't know what to look for then it's likely still there because they haven't looked to delete it.

But what I'm looking to find out is exactly what these keys are (and their settings) to see if I can determine why they're left after the "virus" has uninstalled itself. There are a couple of options that come to mind:
1) They're there to prompt a re-download at a later date and reinfect, to get more money.
2) They eventually make the computer a botted host to spread the virus to other computers.
3) They tell the virus, upon running the executable, that this computer has already paid and it either halts the executable from running and/or uninstalls the executable.

If it's option 1 or 2, then that will help to tell people these need to be found and deleted even after paying the money (if they have done so). If it's option 3, then it's determining whether these are blanket keys (and disable all known variants) or if they're isolated to that particular variant. Since the variants stem from one source both are possible. I'm wondering if I could engineer a local version of the keys to, in effect, vaccinate the computers we work with.

 

[perry]

Interesting thinking. I've wondered about immunizing / protecting (use group policy to prevent executables from running in AppData as Bleeping mentions), but our company is so big that it would take months to get something like that approved. The only communication I've gotten from above is that tape restores are taking longer than normal.

It's unfortunate that every experiment costs you $300.

 

[Archaic_Entity]

Hopefully it doesn't come to that. I finally found, what I hope, are the files I need. I'll post results here when I get them.