Still Checking the Forum Out
Registered: 1459910911 Posts: 5
Reply with quote #16
So far we have not found any way to unlock the encrypted files, crypto lock, crypto whatever. Once they are locked, they are gone. I would never attempt to just "clean" this from a clients pc, fdisk, format and reload. We tried the site that was to have been from the servers that the FBI and KGB setup when they arrested the first round of this junk in Russia. You could send a file to them and they would send a key if it was on one of the servers, it was for real, no money involved, but we never got any keys, always said could not open. I have found if Shadow Copy is running on a Win7 box that some versions do not encrypt the copy, it is always worth a look before you wipe the hard drive. Some pc have it running and some do not. Once the box is reloaded it is good to set the Volume Shadow Copy to Automatic and start the service.
What I have found / figured out.... could be wrong, but when a workstation gets the crypto lock and locks the users files and any they have rights to on the server, the files are not infected, just encrypted. You can delete them and restore from backup without fear of the server being "infected" But that is just what I have found, do at your own risk. For customers that do not have a server, I have started getting a second hard drive in their pc. I setup Win backup to the second hd, so for the locker only do MS Office files and pictures. So the windows backup file has been safe. Then I setup a Xcopy (just can't let it go) to run every night to a folder on the second hard drive. The user has an icon on there desktop that "Check Backup" which points to the MyDocs\Outlook Files folder. I tell them to make sure the date is current on the PST file, if so, most likely the other files are coping also. I have a program that Closes Out Look 5 minutes before the Xcopy runs. The safety here is the Folder that I copy to has Security set to where the logged in user cannot write to the folder "Write = Deny". I have Task Scheduler set to run the xcopy batch file as another user that has Full Rights to the folder, and run even if they are not logged in. This has worked a couple of time already. I still wipe the OS hard drive and change Per missions on the files before I restore but it works. So between the 2 different backups, we have a better chance, the trick it to have it automated, you know the user will not backup. Hope this Helps and nice to see the site back up. __________________ Keep LOOkin UP! Michael Joshua 1:8
Registered: 1454887308 Posts: 598
Reply with quote #17
Once they are locked, they are gone. That's the most important fact, in your post. If backups haven't been done prior, to it being encrypted, it's done; the owner is done & the PC or server is done.