CryptoLocker I’m on the attack, What Should I Do?

Information about CryptoLocker, CryptoWall, Ransomware

!!! All your files are encrypted by the Crypt0L0cker virus !!! Is a Ransomware ransom virus that locks and unlocks important photos, videos, personal information and commercial files located on users’ computers, servers, network drives, USB sticks and NAS devices. If your files extension is .vvv, .ccc, .xyz, .zzz, .aaa, .ecc, .ezz, .exx, .abc, .xxx, .ttt, .micro, .encrypted, .micro, .locky, .mp3 , .magic, .lol, .xtbl, .crypt, .odin, .zepto, .enc, .cerber, .cerber3, .aesir, .shit, .ae35, the virus is infected. De_crypt_readme.html the virus inside the folder that contains the encrypted file, de_crypt_readme.bmp, # decrypt MY FILES # .html, .txt # # decrypt MY FILES, dosyaları_nasıl_gerı_alırım.txt, dosyaları_nasıl_gerı_alırım.html, sıfre_cozme_talımatı.txt, sıfre_cozme_talımatı.html, _Locky_recover_instructions.txt, + REcovER + cmwnu + .txt, _HELP_instructions.html, _HELP_instructions.txt, _HELP_instructions.bmp, HELP_YOUR_FILES.PNG, HELP_RECOVER_instructions + WRITE.html, HELP_DECRYPT.HTML HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, HELP_DECRYPT.URL.


With the Antivirus and Anti-malware programs, you can completely clean your infected ransom virus from your computer, it is important not to clean it from the computer but to make your encrypted files available and usable. If you clean the virus, even if you format it, the files will remain encrypted. For this reason, your priority should not be to clear the virus, but to recover the files.

What you should not do:

Never pay hackers,
Do not try to clean viruses that are infected with antivirus and malware programs, these programs will delete your encrypted files.
Do not load data recovery programs,
Do not restore the system, format it,
Do not delete files created by the virus, do not change the file extensions,
Do not attempt any software or trial.


What you need to do:

Immediately disconnect the appliance from the mains and do not operate it,
To avoid this situation again, add Russian language and keyboard to the operating system language options,
Certain ransom software may not have known cipher resolution. Considering the possibility of a solution in the future, we recommend that you back up your encrypted files.
Take advantage of the support that the technical service will recommend to avoid encountering similar situations again.


Blocking and protection

Encrypted files are considered to be damaged beyond what can be repaired basically. We recommend that you take the following steps to minimize the impact of Cryptolocker on your system and your data, and the betting is to apply the steps without infection to your system. If the system is correctly prepared and secured, the risk of data loss will be significantly less than in an unprotected system.

A. Backup Your Data

The only and best solution to disable ransom software is regularly updated backups. Remember that Cryptolocker can encrypt files on mapped and drive letter-assigned drives, and sometimes even unmapped drives. These include external drives such as USB sticks, many network and cloud file storage. For this reason, you should be careful to regularly disconnect the external drive or the backup service if active backup is not taken.

B. Show Hidden File Extensions

A cryptolocker pest often comes with a file with a .pdf .exe extension. This is due to the fact that the behavior of keeping the known file extensions of Windows is active. Enabling the ability to view full file extensions makes it easy to easily identify suspicious files.

C. Filter the .exe Extensions in Emails

If your e-mail program has the ability to filter by file extension, filter out files with two file extensions (such as “* .exe” files) that end in .mx with .exe .scr .pif .js file extensions or with exe.

D. Do not open attachments to e-mail and messages from contacts you do not recognize; Do not Click Through Links

Crytolocker’s most typical mode of transmission is from banking, cargo companies, running e-mail attachments that appear to come from telecom companies, or clicking on links within them. Users should be educated about not knowing, not opening suspicious e-mail attachments they do not know, not clicking links; Awareness.

E. Block File Execution from AppData / LocalAppData Folders

A notable and noticeable feature of Cryptolocker is that it runs the executable file from the AppData or Local AppData folder. You can enter rules that prevent it from within Windows or from intrusion protection systems. If a normal program wants to work in this location, a privilege can be created in the rule.

F. Close Remote Desktop Feature

The Cryptolocker ransom virus often targets machines that use the Remote Desktop Protocol (RDP) to remotely connect to Windows machines. It is also known that cybercriminals will be attacked by the RDP by logging on to the machine and disabling security software. Disabling remote access will be an effective method. You can check the Microsoft Knowledge Base articles to disable the RDP. Please click here to access the article.

G. Make Your Apps Your Apps and Updates

Virus writers can infect viruses by silently infiltrating users’ systems using out-of-date software, often with known vulnerabilities. If you frequently update your software, you can safely say that you are protected against infection by ransom software. Some software makers regularly publish their updates (on the 2nd Tuesday of each month, Microsoft and Adobe), but occasionally updates are published outside of these standard times in emergencies.

H. Use a Known Security Software

Virus writers often publish new variants to avoid detection. This is why it is important to have multi-layered security. Even if they are infiltrated into the system, many malware require remote commands to display harmful effects. If you encounter a very new ransom software derivative that your antivirus software does not recognize, it can be detected when connecting to the command & control (C & C) server to start the malicious cryptography.

I. Recover files using Windows Shadow Volume Copies feature,

If the System Restore feature is enabled on a Windows system that is infected with a virus, you have the chance to return your machine to clean state and return encrypted files from “Shadow” files. However, malicious software can quickly solve these problems. For example, current ransom software can also delete these shadow copies to prevent files from being returned. Cryptolockers start the process of deleting shadow files as a normal Windows process when they are first run, and finish deleting users and system administrators without notice.

Download the ShadowExplorer application here. Install and run Select a restore point before the virus infection date. Right-click the file you want to recover, select Export, select a location and save it there.

J. Use a Standard User Account Instead of an Account with Administrator Privileges

Using a username that has system administrator rights always creates a security risk because malware can easily be infected with the highest rights everywhere. Make sure that users always use a limited user account for daily work, and use the system administrator account only when absolutely necessary. Do not disable UAC.

K. Emphasize Employees’ Security Training

The most common method of infecting a virus is social engineering, which allows users to do something they should not do in terms of security by tricking them into various methods. Users should be informed about these methods in order to prevent users from getting bribed to social engineering tricks. The content of these training should be updated with new attack methods.

Leave a Reply

Your email address will not be published. Required fields are marked *