Join Us!

Notifications
Clear all

Cryptolocker  

  RSS
davieboy27
(@davieboy27)
New Member

Hi Guys,

I am looking into Cryptolocker and have seen plenty of information about where to find Cryptolocker encrypted files. I know the registry key in the software hive can show Cryptolocker present, but for some reason on this hard drive the software hive will not give me any information.

I scanned the hard drive and found plenty of encrypted files.

My question is I understand that Cryptolocker usually comes in a zip file that a user has opened. What tool could i use to scan the mounted hard drive image for present zip files?

Is there any known real approach to Cryptolocker forensics? I assume all i can hope to uncover is who downloaded the attachment, at what time, on what machine.

Any help most appreciated,

Thanks,

David

Quote
Posted : 23/02/2015 9:36 pm
gorvq7222
(@gorvq7222)
Active Member

Hi,

I investigated a CryptoLocker Malware case last year. In my opinion, first you could use Antivirus like TrendMicro to scan the hard drive to locate the suspicious malware first. Notice that the CryptoLocker has different name identified by different Antivirus software.

Usually CryptoLocker comes with social engineering E-mail, so if you locate some suspicious file,take a look at its path. It maybe an E-mail attachment file pretending ext name is zip or pdf. Acutally it is a exe.

Rick

ReplyQuote
Posted : 06/03/2015 6:14 am
RevFlier
(@revflier)
New Member

Hi Guys,

Is there any known real approach to Cryptolocker forensics? I assume all i can hope to uncover is who downloaded the attachment, at what time, on what machine.

Any help most appreciated,

Thanks,

David

I recently had a couple CryptoWall Cases. Essentially a newer version of CryptoLocker. Yes there is an entry in the registry that tracks what files got encrypted. This is used by the decryption exe to locate the files to decrypt. Interestingly enough data files with file names that were all numeric were skipped by the attack. presumably because the ransomware wants to ensure the user can buy bit coin to pay the ransom and a numeric name might be a system file. locating the first compromised computer with CryptoWall was easier since it is the one with the local drive files encrypted.

As for locating the actual binaries, it proved a little more difficult since they were deleted by the virus and were not recoverable. They did leave prefetch entries and showed multiple executions and MSI instances. In my cases the executables all came in as .tmp files.
Prefetch showed the tmp being executed which downloaded and ran other .tmp files, followed by the running of VSSAdmin which deleted VSC, after the deletion of volume shadow, explorer was run to identify mapped drives. Ransomware then encrypted the files on the local drive and mapped drives.
The actual encryption process on the local drive (and presumably on the mapped drives but the company restored network data from backup and we never got the server $J) can be followed in the USN$J. There you see the creation of the encrypted version of the file with the same name and an added random extension. the original file is then deleted and the random extension removed leaving the original file name and extension. File system tunneling, which occurred at the time of the delete\rename results in the creation date reverting back to the original creation date.

I hope this helps.

ReplyQuote
Posted : 06/03/2015 9:12 am
davieboy27
(@davieboy27)
New Member

thank you for your help )

ReplyQuote
Posted : 23/03/2015 3:02 pm
Share: