27
FEB
2015

CTB-Locker 3.0/Critroni

Posted By :
Comments : Off

We here at Blue Diamond Solutions strive on providing proactive support and monitoring. Over the night one of our clients just got hit with a new Revison of the CryptoLocker Virus. As always the Virus/Ransomware encrypts your files and requires you to pay them in bitcoins for your files to be released. It is still being sent via email stating that your chrome is out of date and it needs to be updated. Once you download and runt he program it begin process. Below is a screen shot of the email.

spam

The more interesting part of the virus is the fact that it no longer runs on the machine once the user starts it. The virus actually runs within the user profile, should the user log off the virus will stop encrypting files and the machine will act normally until the infected user logs back in. It does this by creating a hidden task in the Task Scheduler that runs when the user logs back in and leaves no trace on the local machine making it harder to pin point the user who downloaded the program.

Once the user has be found normal intuition would be to run Malwarebytes, or your favorite equivalent malware/virus scanner. The simplest solution we at Blue Diamond Solutions found to be is create a new user profile on the infected machine and remove the old one. Since the virus is account specific this saves time in having to recreate the user in AD and having to piont the emails to the new user. While it does take a bit of finesse, if done correctly the user’s compromise profile will no longer load up and the new profile will be created. If you are interested in how to do this here is a link on how to accomplish the task superuser.com. After which you can restore any files damaged by the program from a backup of the data.

Stay safe out there.

~Blue Diamond Solutions Engineers

About the Author
Blue Diamond Solution's WebMaster