Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original CryptoWall Ransomware Support and Help Topic - DECRYPT_INSTRUCTION.html


  • Please log in to reply
1516 replies to this topic

#1 TalbotM

TalbotM

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 April 2014 - 06:41 PM

A guide on all we know about CryptoWall can be found here:

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

--
BleepingComputer.com Staff


 

I have a client that got infected with what might possibly be a new version of a crypto style malware.   What's different about it is that it leaves files named:
DECRYPT_INSTRUCTION (with no suffix, with .TXT, and with .HTML)
 
Also, the name on the web page refers to "CryptoWall decrypter" and the ransom is $1000 USD.    I can't find a thing on this specific variant, except for 3 hits off of some German site. 
 
If anyone is interested in I can try to provide further details.

BC AdBot (Login to Remove)

 


#2 FurryRose

FurryRose

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Always Changing
  • Local time:08:00 PM

Posted 30 April 2014 - 06:56 PM

This does sound very interesting. It saddens me to see all of these new variants of the same darned software popping up all over the place. Please try to keep us updated on this, with info on things like how the client got infected, etc. I am very curious to see more about this...

#3 Wilson546

Wilson546

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 01 May 2014 - 06:43 AM

Just got this too on 30/04/2014

 

Drops three files:

 

DECRYPT_INSTRUCTION.TXT

DECRYPT_INSTRUCTION.HTML

DECRYPT_INSTRUCTION.URL

 

Text file contains (ID replaced with xxxx):

 

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
 
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
 
 
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
 
 
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
 
 
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
 
If for some reasons the addresses are not available, follow these steps:
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: kpai7ycr7jxqkilp.onion/xxxx
4.Follow the instructions on the site.
 
 
IMPORTANT INFORMATION:
Your personal page (using TOR): kpai7ycr7jxqkilp.onion/xxxx
Your personal identification number (if you open the site (or TOR 's) directly): xxxx 


#4 Striker76

Striker76

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:fl
  • Local time:10:00 PM

Posted 01 May 2014 - 07:57 AM

Nice, another scammer not wanting an honest living. Is this another email file download, or a webpage link, how did you acquire the bug.



#5 Kragster

Kragster

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 01 May 2014 - 08:51 AM

Where is it dropping the files?   Users Desktop?

 

We just got two crypto infections in a week after making it through all last year without any, so I'm wondering if it's a variant that's evading our protections.



#6 Wilson546

Wilson546

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 01 May 2014 - 09:18 AM

Where is it dropping the files?   Users Desktop?

 

 

 

Users Desktop and File Shares.

 

Currently in the process of recovering from backup and getting three suspect computers collected (They are in a remote office)



#7 Kragster

Kragster

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 01 May 2014 - 09:56 AM

Thanks for the reply.   I only have one PC, the desktop guys unfortunately shut them both down, and wiped and restored one before talking to me. 

 

So far mine looks like the traditional CryptoLocker though, not seeing any of these file drops, and most of the registry keys are lining up with known ones.  A few aren't quite the same though.

 

 

Good luck.



#8 PaulHod

PaulHod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 01 May 2014 - 10:04 AM

I had one of these last night between 4:30 and 5pm ive managed to restore  the network files that it encrypted but lost all sorts on the pc as it removed shadow copies and system restore points. i've sent a suspect file over to Mcafee from c:\users\username\appdata\roaming who replied with the usual not really interested faq about crypto malware etc.

 

this infection was not from a email it was from a normal legitimate website.



#9 FurryRose

FurryRose

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Always Changing
  • Local time:08:00 PM

Posted 01 May 2014 - 11:34 AM

Can anyone provide the name of the site(s) that gave them the infection?

#10 PaulHod

PaulHod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:00 AM

Posted 01 May 2014 - 11:37 AM

I visited a number of sites around that time but they were all normal sites such as Microsoft, Veeam, MSDN I cant think of any odd sites that I went to yesterday all I know is it was definitely not from an email



#11 Wilson546

Wilson546

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 AM

Posted 01 May 2014 - 12:03 PM

I visited a number of sites around that time but they were all normal sites such as Microsoft, Veeam, MSDN I cant think of any odd sites that I went to yesterday all I know is it was definitely not from an email

 

Maybe from that IE 0-Day?

 

Infected workstation just arrived as I am leaving the office. Will update tomorrow 



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,826 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 01 May 2014 - 06:20 PM

I have advised two of our Security Colleagues who specialize in crypto malware with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:00 PM

Posted 01 May 2014 - 06:41 PM

Thanks for the tip Quiteman.

 

Now down to business i guess.

 

First off, im sorry to hear you were infected by this type of malware. It's quite an eye opener when you get hit, but perhaps we here at bleepingcomputer can help you.

 

Please read the following and reply accordingly:

 

1.) Do you think you know where you got this infection? A site, Email with a weird attachment, a downloader / installer? If so please enlighten me as to which one and its location.

 

2.) Are there still any weird files on your computer besides the ransom note that you noticed? Perhaps the original executable in your download folder, Temp folder, or Appdata folder?

 

3.) Have you ran a Anti-Virus since the infection has occurred? If so then hopefully you have no deleted anything it found and only quarantined it. If you know there are things your AV picked up and are in quarantine, Please zip up the contents of your AV's quarantine with the name "CryptoWall_<AV name>.zip" and upload it here: http://www.bleepingcomputer.com/submit-malware.php . If this step is too complicated, please PM me, or post it and i will walk you through the process.

 

4.) Are the ransom notes the only thing that you noticed this infection has changed? (besides your files being encrypted) Ex. Changed wallpaper, A window or prompt, changed homepage etc.

 

5.) If you look in your task manager do you notice any unfamiliar tasks running? Most of the time it will either be something generic like "Flashupdate.exe", something random like "sf5g.exe", or there will be multiple processes with the same name (ignore svchost.exe,chrome.exe)

 

6.) is there a task that is taking up a lot of your CPU?

 

 

Please do not stress over these questions, and if you can only answer a few that is fine, as i can walk you through the other questions.

 

Remember, no matter how silly you think something sounds, or looks, you must tell us because everything matters in identifying these infections.

 

Thanks for your time.


Have you performed a routine backup today?

#14 Duburu

Duburu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 01 May 2014 - 08:30 PM

Uh I just got the virus on my laptop I don't know what to do

#15 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:00 PM

Posted 01 May 2014 - 08:50 PM

please read the post above yours and post with the answers


Have you performed a routine backup today?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users