Cryptolocker - Looking for Samples

Hey guys.

I have been tasked with troubleshooting and provide training guides for successfully removing the Cryptolocker type of infections.

We are needing specifically the Cryptolocker one to see how it interacts with our current disk encryption programs that is used on our client's computers.

I have been searching around for samples of the Cryptolocker virus, but all I can find is preventing and general removal information.

I am needing an actual copy of it to infect on a VM and tinker with it.

Any chance you guys could point me in the right direction to obtain a copy of this?

Thanks

 

Thanks for the response.

Sadly, those types of sites are blocked within our systems here so I cannot just browse around.

I have been trying to click on ads and download all the junk programs from suspicious sites, but so far no luck. Not even a simple zeroaccess yet....

I have been reading up on all those articles, and I have also found several that mention file recovery via volume shadow copy and possibly system restore.

Since our clients have alot of critical information, I am trying to hammer out some methods to try and recover any of the data any way we can wether it is from the VSS, Sys Restore, win7pe boot disc... Etc

Removing the actual infection itself is not too difficult, but recovering the data is what I need to try and focus on.


If you happen to get a sample for it, or know someone who does, could you please contact me?

Really appreciate everything ya guys do here.

 

Update -

Started downloading as much random stuff I could find from weird URL sites. Even opened up a spam email account and clicked all those bad links, opened a ton of .exe files and what not...

Still could not get *any* type of actual infections. Tons of bloatware sure but nothing major...

So I began googling around for "cryptolocker samples", "zeroaccess samples" and "GIVE ME A DAMN VIRUS"...

Managed to find a bunch of sites like MDL and others that provide direct downloads to the infected files.

After about 30-40 trys of running these infected files, rebooting, etc...

I am still infection free. No zeroacces, no cryptolocker, no fake AV, no IS2014... NOTHING.

Simply amazed at how hard this is proving to be to intentionally infect a completely fresh Win7 OS install with tons of Updates to do, ALL built-in AV and firewalls turned off, using IE with as many settings changed to make the browser vulrnerable...



Any idea as to *what* I am missing here? How do people get infected so easily?

 

Ah that does make sense. While the AV and protection on the VM itself have been removed, the actual network still has the protection in place. I was hoping alot of those type of infections would still dump all the reg entrys/files onto the PC without a valid connection to phone home with.

The testing I am doing is kind of a special side-project. The company itself handles the network infrastructure on a corporate level with the offices who have access to making those sort of changes several states away. Not to mention all of the corporate red tape needed to go through to get what I need haha. Plus mention "Hey I need the firewalls removed so I can download viruses" to the big wig suit and tie....

I may need to bring a copy of the VM and do it from home perhaps...

Yea Zeroaccess are pretty basic and easy to remove with the exception of the Google Desktop ZeroAccess type. That one I have found can be a bit of a pain due to the nulled out reg entrys but still not too difficult.
Not surprising if "it is dying" haha.

I have still seen a steady flow of those types of issues here at work. Although I have begun seeing a new type of it that hijacks Internet Explorer (which is required for our clients to use for our software/websites :banghead ) and causes all of the settings to remove file downloads and basically remove as much built in security as it can. Doing a Reset IE only causes this to switch it to those settings initially haha.



TLDR:
Can't change work firewall protocols, will try from home.
It may say ZeroAccess is dying, but I still see it all the time plus new types
Yes I would love to get copies of any ZeroAccess files you may have, plus any other forms of current viruses as well!

As always, thanks for the responses!

 

Please remove this after you get it =]

Can't PM until I hit 50 posts heh

 

Awesome.

Look forward to playing around with them =]

Alot of the virus removal we do here has to be done manually due to our software that is sometimes flagged, and some of the front line techs simply "remove all" after a scan...

Plus some programs due to licensing do not allow us to use the software at all.

Which of course has prompted me to go through and manually create some programs to ease things along as well as training guides and materials on how to remove specific viruses.

For example, I recently created a small utility that restores windows services after removing a ZeroAccess that removes BFE, BITS, Mpssvc, Win Wupdates, Security Center...

I will send you a copy if you like, but I am sure you guys probably have just bout everything here haha

 

Could very possibly be due to email filters blocking them from being received...

Maybe zip them and encrypt it so the email filtering cannot scan inside of the archive?


Or is it saying the actual domain name?

removed email addr

or

removed email addr

(I know this one will not receive .exe files and what not)

 

Yea, only problem is most email domains will scan inside the archive, and if it contains a .exe and what not it will reject it.

Using the same trick that CryptoLocker does to bypass that, is to encrypt the achive and set a password so the email provider cannot scan and see the .exe inside haha

 

Weird, not sure what could be causing it then...

I could give you an FTP to upload them to instead if you would be willing?

 

Yup, I have received the emails now!

That 2.0 version will be perfect, can't wait to tinker with it haha

Thanks a ton, this will definetly be a huge help. Now I can infect machines alot easier and have my trainees debug them (evil laugh)

 

Chaslang,

I have gone through and setup a brand new Win7 SP1 on a VM. Disabled all protection, even went and put the entire laptop directly into the DMZ to ensure no router protection...

Is that Cryptolocker type sample a fully functional version?
It appears to run and even dumps a couple reg entrys and a msunet.exe into the AppData\Roaming\Microsoft\ location and runs with userinit.exe on login...

But other than that it has not done anything at all so far...

Maybe it does not work so well on a VM?

Just cannot beleive how difficult it has been to try and get this running...

Also, fun fact I found out that might be of interest...

When I first went to run the sample, I got an error saying it required .NET Framework 4.0 or higher.

 

Just checked that reg key, nothing is listed under there at all.

I am just gonna simply put it directly onto my laptop.

Not too hard to reformat it haha

 

No dice.

Using Volume Shadow Copy is unreliable at best and is not always available.
I was able to "recover" small bits of data, but there was no discernible pattern into why I was able to recover some parts but not the others

Plus, usually these CryptoLockers come with ZeroAccess and IS2014, which combine those, 8 Windows Services end up being disabled to further make the system vulnerable to even more issues, restore points are wiped, System Protection is turned off and next thing ya know, the "previous versions" of files are no longer available.

I tried testing a theory I saw somewhere in a single comment on.. somewhere... About using Google Picasa to open the files and then re-save them to another location. It was reported as being a successful way to bypass the encryption and then re-create the file itself.
When I tried testing this, most files would simply be unavailable, or would crash/hang the program and/or Explorer itself.
So that is another thing to rule out.

In conclusion, the virus itself is very simple to remove and is really quite basic. Was not even much of a challenge for me to hunt it down manually and restore/remove the infection. Reformat isn't needed that much either, although for peace of mind I can imagine why most EU will immediately jump to being alright for a reformat just for peace of mind.
While removing the infection is pretty easy, recovering the encrypted data it would seem is impossible. I had high hopes of trying a few different things, but sadly nothing panned out the way I was hoping.

 

Got it, thanks!

Shame, the site is blocked here at work

Looks like my research will end up being extra credit heh