HELP !! I got hit by Cryptolocker

[Jim885]

Not sure how this happened, or when I got the virus. However, while I was on this site at 7:30AM EST, I was hit. Now all my documents, pictures, etc., are encrypted and I can't open anything.

Anyone have any advise to resolve this other than paying the "ransom"?

 

[RoryA]

To the best of my knowledge, nobody ever actually got their files back by paying the ransom. However, you may be in luck as there is a site that will provide the key for you: https://www.decryptcryptolocker.com/
Note: I got this link from the BBC, but I have no personal experience of the site in question.

 

[Jim885]

Thanks Rory. I'm trying that now, but it's taking a long time to upload one of the infected files, as the site asks for.

What I've done so far was to run my Norton antivirus. It deleted 15 infected files.
My research is showing that this trojan malware is received in one of two ways.
1.) Opening file attachments from an email (which I never do)
2.) Getting the malware from an infected site.

The only sites I visited in the last month have been this site, another excel help site, my credit card sites, home depot, my bank sites, and a hobby site that I have belonged to for 8+ years.

Anyway, back to the problem, and what I've uncovered so far ...
The ransom is $300.00
The trojan has placed three files in each of my folders.
These are two text files that tell me that all my files are now "protected" on another server with a private key, and I'm directed with procedures to pay the ransom.
The third file is a link to the webside where I am to pay the ransom.

 

[Jim885]

The files infected are all my document files (pdf, excel, Word, Powerpoint, Access, etc.) and many of the picture formats.
The only picture formats that were NOT affected are; gif and png

 

[Jim885]

Seems the only and best way to deal with this trojan is to have backup files that can be reloaded onto the hard drive.

Another way, which I stumbled upon, is to right click each folder and select "Restore previous versions" from the popup menu. Then just select a previous date that is available.

This seems to be working well so far. The only thing is that I have 200+ folders and subfolders that I have to do this to. Then I have to remove each of the three files that this miserable trojan installed into each folder and sub folder.

 

[Jim885]

Well, one of the real PITA's is that I have to delete these three files that appear in EVERY folder and sub folder on the hard drive.
DECRYPT_INSTRUCTION.txt
DECRYPT_INSTRUCTION.html
and this internet short cut
INSTALL_TOR.url

Can someone write a vba code that can delete these three files from every folder / sub folder, please?

This would go a long way to fix this problem for me and anyone who encounters this malware.

 

[John_w]

Try this:

Public Sub Delete_Files()
    Delete_Files_In_Folder "C:\"
End Sub


Private Sub Delete_Files_In_Folder(folderPath As String)

    Static FSO As Object
    Dim thisFolder As Object, subfolder As Object
    Dim folder As String
    
    If FSO Is Nothing Then Set FSO = CreateObject("Scripting.FileSystemObject")
    
    Set thisFolder = FSO.GetFolder(folderPath)
    folder = thisFolder.Path
    If Right(folder, 1) <> "\" Then folder = folder & "\"
    
    On Error Resume Next  'in case a file doesn't exist
    FSO.DeleteFile folder & "DECRYPT_INSTRUCTION.txt", True
    FSO.DeleteFile folder & "DECRYPT_INSTRUCTION.HTML", True
    FSO.DeleteFile folder & "INSTALL_TOR.URL", True
    On Error GoTo 0
    
    'Delete files in subfolders
    
    For Each subfolder In thisFolder.SubFolders
        Delete_Files_In_Folder subfolder.Path
    Next

End Sub

 

[Jim885]

Thanks. I'm going to use this. I was able to recover my files except for a few that I created in the last 2 days.
I'm still seeing remnants of this trojan on my computer, so I'm going to back up my files now that I was able to recover them, and while they are intact.

I'll get back to you in a day or so ... It might take that long to fix this. So far, I've wasted nearly 5 hours of my life on this. But it's better than the $300 ransom they are asking for.

 

[xenou]

Seems the only and best way to deal with this trojan is to have backup files that can be reloaded onto the hard drive.

A file that isn't backed up doesn't exist

 

[Jim885]

It's turning out worse that I thought. I lost hundreds of files that weren't automatically backed up by the system. Fortunately, I do have a backup disc of these files. But it will take some time to recover those files from the disc. The last backup I did onto discs, was in June.

The good news is that I was able to get almost every file back that I have in my vba library. The only exception were the few files I developed during the past few days. But I was able to research that and recreate them.

The other good news is that there is a way to beat the CryptoLocker RSA - 2048 trojan. But it isn't easy or quick.

I also remembered that I was on the dreaded 'CraigsList' within the past two weeks. I hear that site could be prone to viruses ... So, I may have got the trojan from that site. I'll never know ... But all I do know is that I was hit at 7:35 AM today. And it happened fast.

John_w,
Thanks very much. Your code saved me hours!