In September, the group claimed on its Twitter account to have taken control of eight servers run by entertainment corporation Sony. The group targeted several universities in the United Kingdom including Cambridge in August 2012. releasing a pastebin post, containing 23 administrator usernames, and hashed passwords. On July 16, the group breached ASUS aka ASUSTeK Computer Inc. Unfortunately the files cannot be decrypted.On July 13, 2012, the group breached the World Health Organization (Who) and PBS releasing a pastebin post containing 591 plain-text usernames, and passwords relating to the WHO attack, as far as the PBS attack goes, it was mostly database information, as well as 1,000 emails, and passwords. Simply scan your computer with RogueKiller and remove registry values. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce : *CryptoLocker ("C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run : CryptoLocker ("C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe") HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\\Count : HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\gvtml\Ohernh\EX_Dhnenagvar\Zcsdyitfmnkaaao.rkr (System.Byte) HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files HKEY_CURRENT_USER\Software\CryptoLocker_0388 C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe OS: Microsoft Windows XP Professionnel Service Pack 3 (x86) We can also see the persistence RUN values, to be able to restart the infection at boot. With a simple analysis with DiffView, we can see that it stores the encrypted files list into a registry key. Those processes are responsible for crawling the hard drives (and USB drives as well) to search for new files to encrypt, and for displaying the ransom web pages that gather your payment informations (following capture). It keeps persistence by having 2 processes re-spawning each other when killed, and by restoring the RUN/RUNONCE registry value. CryptoLocker is a ransomware that uses encryption to corrupt your documents, and asks for a payment to restore them back.
0 kommentar(er)
