Som Posted October 9, 2014 Share Posted October 9, 2014 Came across a computer today that has an interesting new virus, A new variant of the Critroni, At first I thought it had simply added the extension .CTB2 to documents & pictures on the computer but unfortunately it also encrypts the files too unless you pay. No word on how to decrypt the files at the moment (although if anyone knows please tell me). I have the lovely task to tell my customer now that years of personal files are unrecoverable .... bugger Link to comment Share on other sites More sharing options...
Arachno 1D Posted October 9, 2014 Share Posted October 9, 2014 Nasty looks like more variations on the same theme as last time Link to comment Share on other sites More sharing options...
Hum Posted October 9, 2014 Share Posted October 9, 2014 There is some alleged 'remover' download here: http://www.pcrisk.com/removal-guides/8120-your-personal-files-are-encrypted-virus Note: at time of writing, there were no known tools capable of decrypting files encrypted by Critroni without paying the ransom. By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Critroni files. To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Critroni are known to remove Shadow Volume Copies of the files, so this method may not work on all computers. To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button. I don't know if it is genuine or safe. I would use a lot of caution -- test it somehow before trying it. Link to comment Share on other sites More sharing options...
Dan~ Posted October 9, 2014 Share Posted October 9, 2014 I had this on my works HP machine the other day, pain in the butt. You can try right clicking on the files and use previous versions to get files back but was disabled on my PC. The "good" thing about this, is hopefully kicking people into doing backups of their PC. Thankfully the data on my works machine was pretty much useless so never backed it up Link to comment Share on other sites More sharing options...
witalit Posted October 9, 2014 Share Posted October 9, 2014 Ouch sounds like a nasty bit of software.. and at the same time very clever. These guys must make a decent amount from all this. Maybe they use a different address for each PC as the bitcoin address in article hasn't received anything - https://blockchain.info/address/8f4eac149b30bf84fa73dc01af72f6d79bcd51f7 Link to comment Share on other sites More sharing options...
cork1958 Posted October 9, 2014 Share Posted October 9, 2014 Any idea on where it comes from or how it gets into the computer in the first place? Hopefully not just from some infected ad being displayed or something. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 9, 2014 MVC Share Posted October 9, 2014 Hopefully not just from some infected ad being displayed or something. It could very well happen. Sandboxie FTW. Link to comment Share on other sites More sharing options...
LimeMaster Posted October 9, 2014 Share Posted October 9, 2014 Any idea on where it comes from or how it gets into the computer in the first place? Hopefully not just from some infected ad being displayed or something. The links posted above claim that they come from spam e-mail attachments. So as long as you use common sense you should be fine. Link to comment Share on other sites More sharing options...
Dinggus Posted October 9, 2014 Share Posted October 9, 2014 It could very well happen. Sandboxie FTW. You view websites in Sandboxie? Link to comment Share on other sites More sharing options...
Max Norris Posted October 9, 2014 Share Posted October 9, 2014 You view websites in Sandboxie?Totally doable sure -- no matter what browser you're using, it's sandboxed. Hit a naughty site/advertisement that tries to exploit a vulnerability in the browser or a plugin, download a not-so-nice extension, etc etc and it's contained. Also good when you're the type that downloads random stuff without thinking. You'd wind up with a bunch of encrypted files in the sandbox, meanwhile the originals are still safe in the real file system. Flush the sandbox and continue on your way. Set up my daughter's system to do that as she's not supposed to be downloading stuff anyway, also set it on my one neighbor's machine, he's got a habit of installing stuff "because the nice website told him to", haven't had to deal with problems since on his. Link to comment Share on other sites More sharing options...
Som Posted October 9, 2014 Author Share Posted October 9, 2014 There is some alleged 'remover' download here: http://www.pcrisk.com/removal-guides/8120-your-personal-files-are-encrypted-virus Note: at time of writing, there were no known tools capable of decrypting files encrypted by Critroni without paying the ransom. By following this removal guide, you will be able to remove this ransomware from your computer, however, the affected files will remain encrypted. We will update this article as soon as there is more information available regarding decryption of compromised files. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Critroni files. To restore individual files encrypted by this ransomware, try using the Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Critroni are known to remove Shadow Volume Copies of the files, so this method may not work on all computers. To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button. I don't know if it is genuine or safe. I would use a lot of caution -- test it somehow before trying it. good idea, reinstalled windows before I even knew it had a virus though so wouldn't work sucks for the owner really. Most spyware/malware i've come across over the years is just annoying but this is something different Link to comment Share on other sites More sharing options...
Midnight Mick Posted October 9, 2014 Share Posted October 9, 2014 If Win7 or above try shadow explorer to recover original files. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted October 9, 2014 MVC Share Posted October 9, 2014 You view websites in Sandboxie? Yes I do, and have been doing it for the last 7 years on all my machines. :D Link to comment Share on other sites More sharing options...
LaP Posted October 9, 2014 Share Posted October 9, 2014 Don't really care. Do a fresh backup of my files every night and do a new system image once a week. Link to comment Share on other sites More sharing options...
cork1958 Posted October 10, 2014 Share Posted October 10, 2014 Yes I do, and have been doing it for the last 7 years on all my machines. :D Not nearly as paranoid as you and probably don't visit some of the sites you must be viewing, but from what I've seen of doing things in a sandbox, I think I'll just stick with common sense, a good host file and adblockers. Besides, if as the one posters says that this comes mainly from e-mail attachments, I don't think I have anything to worry about. I do backups often enough also that I'm not that paranoid. ;) Link to comment Share on other sites More sharing options...
Dick Montage Posted December 11, 2014 Share Posted December 11, 2014 I have the lovely task to tell my customer now that years of personal files are unrecoverable But thankfully their backups are :) Link to comment Share on other sites More sharing options...
Recommended Posts