5

We believe a Crypto Locker virus may have found its way into our network. We're having trouble identifying which computer was responsible for originally bringing the virus in.

Does anybody have any experience identifying the source of a crypto locker virus on a network?

Sam Selikoff
  • 151
  • 4
  • 1
    Sounds like a company with a poor or non-existent security policy. Install an AV on every machine. – rook Oct 23 '13 at 17:20
  • 3
    Apparently the main way that this virus is making it's way around is through email. So really your best option is digging through user emails looking for suspicious looking links. – Signus Oct 23 '13 at 20:33

1 Answers1

6

We had this in our network yesterday, after the network cable was unplugged from the back of the PC was when the crypto locker showed itself. So go around and unplug everyone's network cable and look at the desktop, you can't miss it. Also, the only way to deal with this is to pay the demand ransom of $300. After we paid, it said "processing, could take up to 48 hours". Eventually it accepted the payment and decrypted the 1.5 million files in our network and now everything is back to normal.

Drew
  • 61
  • 1
  • 1
    We still haven't seen the screen. I'd also be extremely hesitant to pay the ransom. – Sam Selikoff Oct 23 '13 at 18:05
  • 2
    It either pops up when it is done encrypting all your files or you stop it from encrypting the files by unplugging the cable. If you don't want your files back you don't have to pay. We were running Sophos on the computer that got hit with this. – Drew Oct 23 '13 at 18:09
  • Did more than one computer on the network have the CryptoLocker process running? – Sam Selikoff Oct 23 '13 at 18:13
  • 1
    No, just the one computer that got the email that the user stupidly clicked on thinking they had a voice mail message in a zip file... – Drew Oct 23 '13 at 18:16
  • 1
    → Sam: Don't be hesitant. Either you agree with the attackant economic model and you support it financially, either **you don't agree**. If nonetheless you decide to pay, carefully read the user level agreement, and finally ask yourself what **trust** you may place on an agreement with a **criminal**. – dan Oct 24 '13 at 09:45