YAcryptolockerT: A beloved patriot in the armor (PSA)

[PliotronX]

So at a large client it was perfect or so I thought, the SRP we put in place via GP minimized risk of damage from a CL infection. Apparently the guy who implemented the GPO only applied it to an OU for redeployed PCs and guess what. Yeah some guys dad declined redeployment to stick with 7 and opened a convincing email attachment. So started a recovery and damage assessment process. He had network mapped drives so the unmolested backups will set them back two days of productivity and not only that but for this guys PC we had hauled in someone thought they were doing well by running malwarebytes. Anyhow for the PSA bit as soon as the CL window pops up I think it's best to hold down the power switch for four seconds because a. Writes decrease chances of recovering deleted originals and b. Newer variants execute a destruction of volume shadow copies that would easily recover a lot of data.


Just when I thought this wasn't a problem any longer now I might have to reinfect and help to pay the ransom over the weekend. Those diabolical geniuses have my reluctant respect.

 

[Chiefcrowe]

Thanks. pretty crazy! are you guys deploying win 8.1?
i hope this doesn't resurface more.

 

[PliotronX]

I hope not too, this thing is admirably scary but as it turns out the guy who held out on redeployment in November almost punched my boss over it back then so now he took the now redeployed (8.1!) PC back to prove a point. They had wasted too much time getting it in so it far surpassed the 72 hour window therefore ransom went up to two grand. It had also endangered server shares so because of some guy hating on 8 (more than myself LOL) a large companies files were threatened. Moral is: if you don't know much about computers or think you know about them like this guy (running Malwarebytes and complicating matters), let your IT crew do what needs to be done.