Had a lot of issues with a virus called CryptoLocker.

A scary piece of work. Usually it is only discovered because staff start to find that files are full or rubbish which is because the virus has encrypted the files.

The virus remains silent until its job of encrypting the files is done then it pops up on the infected machine with the following notification.

“Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.”

“Any attempt to remove or damage this software will lead to immediate destruction of the private key server.”

First thing to do if you think you have this virus is to turn off your network switches to prevent further infection. Once this is done more then likely the virus will appear on the infected workstations screen with the warning above.

The virus has a three day timer which deletes the recovery information after three days.

To identify what machines have the infection you can run this script from the command line which will search the registry for the Keys that the virus sets up.

reg query HKU /k /f CryptoLocker /s

This will list all of the infected users that have the virus installed into their profile (it will display their SID) from there you should export the registry Keys listed from the above command. This will ensure that you have a list of what files have been infected and other information if required.

This script could be used to push the output to a TXT file and then read that txt file and use

Reg.exe Export

to export the information.

A lot more information can be found here http://www.precisesecurity.com/rogue/cryptolocker-ransomware