Original Cryptolocker Ransomware Support and Help Topic

I have client who had this happen yesterday afternoon. Waiting to the suspect PC to come in for inspection/troubleshooting. The files that got 'encrypted' were on a network share and used by several folks. It doesn't appear the infection hit the other PCs and they are pulling the files from backups. Will be happy to find out more information about this and will share any info I find.

It also appears the link in the "Here are the files..." line references "http://viewfiles/ " which means it has the list kept local.

Same thing here. A user got the same popup and a bunch of files on her network mapped drives have been altered. Big pain. Restoring files now but some were changed and not others so it's going to take a while to figure this one out.

Am on the phone with Trend now seeking help.

This client had Trend Micro WFBS too... Older version because they have a couple Win2000 machines on the domain but definitions were up to date. I have the suspect PC on my bench now and lots of crapware on this thing...

Same here, client infected. May try this approach: http://www.bleepingcomputer.com/virus-removal/remove-everything-on-your-computer-has-been-encrypted

Let me know if this works... The encrypted files are on a server but the suspect machine has been pulled from the network.

Just got off the phone with Trend. I sent them a copy of the "encrypted" files and also the original plus the infected exe file from the client PC so they can attempt to work out the private key.

I downloaded the program from your link and it did not fix the changed files.

I won't get a chance to tackle it until tomorrow morning, but if I can fix it, I will certainly post my findings. 

Our infected workstation is a very clean Windows 7 virtual workstation. We restored all the damaged files from backup and got the client up and running. I have saved a snapshot of the workstation to troubleshoot the actual infection (even though we don't need to). However I don't know where to start.

It's a real pain this one. We are restoring from backup now but there are still files which will have changed which we wont get back. Hopefully trend get back to me with a way to decrypt the files.

No updates here. Still restoring files from backup. I have a case escalated with Trend so I will post as soon as I hear back.

I would not recommend paying the ransom.

Yes definately best not to pay. For one I would not trust having the infected machine on the network manipulating your files again. Second, you never know what you are funding.... terrorism etc....