Jump to content

Discord   |   Play games and chat with our PC gaming community in Discord.
Launch Discord  
Photo

help needed: virus "locky"


Best Answer Paronity, February 18, 2016

Enemy found and eliminated - next step: two Producers of antivirus are trying to find Solutions for the encryption (sent 5 encrypted files and the original ones)

 

Awesome! Who is looking at it out of curiosity?

Go to the full post »


  • Please log in to reply
10 replies to this topic

#1
IngeMeissel

IngeMeissel
  • Member
  • 174 posts
Operating System: Windows 7
App/Game Name: Win7 Pro
:

Help from anybody welcome:

Somebody in my Company opened the wrong mail attachment and activated the Virus "lockey".

Lockey encrypts documents on all shared folders in your Network/Domain and renames them as xxxxxxxxxxxxxx.locky.  a txt-file is created in the respecting folder telling you, that you should open a link, where you should pay one  bitcoin and therefore will get a Software that will decrypt your files again.

All word-files in my Company are encrypted by now. I could roll back to a backup, which I will not do, until I eresed that bastard (fearing that it will re-encrypt all files).

I have not found a tool yet, that will find "locky" to erase it.

Anybody who has some useful Information concerning locky, please contact me  - until we can get rid of locky my Company is thrown back to Stone-Age.

Many thanks in advance.

Regards,

Ingmar



#2
DarkerBlitz

DarkerBlitz

  • Forum Member
  • 1,114 posts

I  have come accross a few viruses of the sort in the past year or so. They are nasty, and very difficult to get rid of. In both cases that I was trying to get rid of the virus, I ended up telling the owner of the computers that they needed to buy new HDDs and that I would re-install windows for them and that anything saved locally on the computer were gone.

 

I've seen these viruses live through a format and re-installation of windows.

 

Viruses such as lockey are the reason I don't keep any important information, information that I cannot go without on any of my computers, or if I do I keep them backed up elsewhere.

 

There are many horror stories of people paying ransom to get their files back, and the "decryption tool" they send doesn't work and the contact dissapears.



#3
TrackPadGaming

TrackPadGaming

  • Member
  • The King of Stupid

  • 202 posts

This sounds like the same type of thing that happened to a company I worked for over the summer. As far as legal options there isn't much the cops can do about it. For removing the virus you can roll back or pay the bit coin.

https://nakedsecurit...u-need-to-know/


Edited by TrackPadGaming, February 17, 2016.


#4
Naaackers

Naaackers

  • Staff
  • OTS FPR TJE LODS

  • 6,894 posts

That is the worst of the worst of modern day virus my man. Crypto-lockers are no joke. 



#5
IngeMeissel

IngeMeissel
  • Member
  • 174 posts
Thx, for your replies!
What I know so far, is which user did ot, what can be derived from the owner of the txt-files that have been written. What needs to be done is to identify the file/script/reg-entries originating the encryption - otherwise a rollback from my backup would be senseless becouse I fear everything will be encrypted again.
Any help welcome

#6
Paronity

Paronity

  • Retired
  • var Paronity = new Guru();

  • 16,885 posts

I dont have first hand with Locky, but have ample experience with all virus removal, including encryption ones.

 

Hw many systems are effected by it amd when did they get affected? You say you know which user did it, but tdoes that indicate which PC they were on as well?

 

How is your network set up? Domain? Ect...   Any details about that, that you know would be helpful in determining next steps.  Is a remote viewing session into your network possible?



#7
IngeMeissel

IngeMeissel
  • Member
  • 174 posts
Network is a domain with 19 hardware clients and 2 VMs running Win7 professional. Files on clients are not affected but only files on shared network folders. The respective user just logs onto one single hardware client. I'm using 2 win server 2008r2 domain controllers, an ubuntu fileserver for profiles, 2 win 2008r2 for ERPs and a QNap as a fileserver (which is mainly affected).
Remote viewing will be possible.

#8
IngeMeissel

IngeMeissel
  • Member
  • 174 posts

Enemy found and eliminated - next step: two Producers of antivirus are trying to find Solutions for the encryption (sent 5 encrypted files and the original ones)



#9
Paronity

Paronity

  • Retired
  • var Paronity = new Guru();

  • 16,885 posts
✓  Best Answer

Enemy found and eliminated - next step: two Producers of antivirus are trying to find Solutions for the encryption (sent 5 encrypted files and the original ones)

 

Awesome! Who is looking at it out of curiosity?



#10
IngeMeissel

IngeMeissel
  • Member
  • 174 posts

Kaspersky and one of my IT-Providers sent the files to their preferred Company, which I do not remember :-(



#11
IngeMeissel

IngeMeissel
  • Member
  • 174 posts

just for the protocol:

the other Company was eset.

After rolling back to my backed up files still 8000 out of 144 700 files are missing because my backup system sucks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users