Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original CryptoWall Ransomware Support and Help Topic - DECRYPT_INSTRUCTION.html


  • Please log in to reply
1520 replies to this topic

#376 mantramark

mantramark

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 27 September 2014 - 11:27 AM

The decrypter does seem to take a while.  I had everything done in an hour, but we had only about 80 files that needed decrypted - total of around 200MB.   Most files were under a MB, the largest (and most important) was 23MB.

 

Thankfully, I had good backups of a majority of our stuff, so I didn't have several GB to decrypt.

 

If it's any comfort, I don't think the decrypter has a time limit where it will stop working.   On a whim yesterday, I ran it again on an encrypted file - it still worked 2 days after I downloaded it.

 

That's interesting that you had to wait overnight.  I seriously think it might take a live person on their end to approve the transaction and give you the link.  Given the bad English on their website, I suspect they might be in Eastern Europe or Russia -- around 6 to 8 hours ahead of me here in Ohio.  So if you were, say, on the East Coast of the US and paid their ransom at 8PM our time, it would have been around 2am to 4am their time... they were fast asleep (or passed out drunk after spending their ill-gotten gains). 

 

Anyway, yeah, after I got the files back, I did all three of those things - anti-virus (MSE and Avast), Malwarebytes and did the cryptoprevent on all the PCs that access those shares.

 

Cheers,

mj



BC AdBot (Login to Remove)

 


#377 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 27 September 2014 - 11:33 AM

I did all three of those things - anti-virus (MSE and Avast), Malwarebytes and did the cryptoprevent on all the PCs that access those shares.

See the IMPORTANT NOTE about not using more than one anti-virus program in this topic: Choosing an Anti-Virus Program
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#378 mantramark

mantramark

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 27 September 2014 - 11:51 AM

Yeah thanks - good tip.  Only have one anti-virus on there.  I meant AVG not Avast - that was installed on there already.  Did a scan with AVG, then removed it and installed MSE. (something I have been doing recently on that network - AVG Free has annoyed me with their "browser hijack" - switching the home page and installing themselves as the default search provider).

 

cheers,

mj



#379 omisos

omisos

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 27 September 2014 - 12:04 PM

I am glad it worked for you guys.  DO NOT PAY.  When I put my info in, it said, "transaction ID already exists" and the payment was never credited.  I triple checked every step I did and every letter I typed.  I just checked it today and the send to address is now different.  Not pleased.



#380 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:25 AM

Posted 28 September 2014 - 03:04 PM

If you are a victim of CryptoWall, and you are considering payment, Please, Contact me first at Decryptorbit@outlook.comYou may have different options at your disposal.

 

Thanks


Have you performed a routine backup today?

#381 bfrederick

bfrederick

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 29 September 2014 - 06:59 PM

Anyone have any advice for finding out which computer is infected? We have about 50 machines on our network here, and just found ourselves infected today. I ran the "listCwall" program from the bleepingcomputer support article from the machine of the only user to report the issue, but it lists zero files. Is this tool still the right tool to use? If it is, does anyone have any pointers for helping me find which computer started this?

 

By the way, we recently switched email anti-spam/anti-virus from Barracuda to MailRoute, so I'm wondering if MailRoute's protection is not as robust as Barracuda's. 

 

Thanks



#382 Techindahaus

Techindahaus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 29 September 2014 - 07:26 PM

Anyone have any advice for finding out which computer is infected? We have about 50 machines on our network here, and just found ourselves infected today. I ran the "listCwall" program from the bleepingcomputer support article from the machine of the only user to report the issue, but it lists zero files. Is this tool still the right tool to use? If it is, does anyone have any pointers for helping me find which computer started this?
 
By the way, we recently switched email anti-spam/anti-virus from Barracuda to MailRoute, so I'm wondering if MailRoute's protection is not as robust as Barracuda's. 
 
Thanks

Ive ever heard of that application working for anyone. If you need help, ask Nathan. Don't pay those crooks.

Edited by Techindahaus, 29 September 2014 - 07:27 PM.


#383 hrabbot

hrabbot

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 01 October 2014 - 12:59 PM

I'm attempting to clean a work computer of a CryptoWall infection for another user.  Only the contents of a personal SD card was encrypted, with all files on the machine itself being safe and sound.  This does not add up to me.  I can't find any trace of the virus itself with a Malwarebytes scan with updated database, and I don't see any file list registry entries consistent with this malware.

 

My assumption was that the infection occurred at home, encrypting his SD card contents, and then transported to work, where everything is actually fine.  I mentioned this to him, but he insists the SD card has been in the machine for a very long time.  The encrypted files all have a modified date of 9/22/14.

 

Are there other steps I should take to root out this virus before declaring the machine clean?



#384 kpsung

kpsung

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 October 2014 - 12:03 AM

My laptop (HP, Win8) has been infected with CryptoWall Ransomware a few days ago.

 

I already restored the laptop to my factory default settings.

 

Everything has cleaned now, but I have some important files on my external hard drive which were also infected with this CryptoWall virus at the same time.

 

Someone told me if I post here, someone might help me to decrypt my files using his supercomputer with a brute-force attack.

 

FYI, breaking RSA-2048-bit SSL certificate would take about 4.3 billion times longer (using the same standard desktop processing) than doing it for a 1024-bit key.

 

It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years (a little over 6.4 quadrillion years) to break RSA-2048-bit SSL certificate.

 

I am not going to pay even 1 cent to the criminals, and I'd rather call a police.

 

I need someone who could help me.

 

Does anyone know when we may get a solution site as https://www.decryptcryptolocker.com/ for this CryptoWall in the future ?

 

Thanks.



#385 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:25 AM

Posted 02 October 2014 - 05:15 AM

I'm sorry to disappoint, but that simply isn't possible.


Have you performed a routine backup today?

#386 kpsung

kpsung

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 02 October 2014 - 01:32 PM

If you have a shadow copy of the previous files, or if you have a restore point, then it's possible to get your files back.

 

But in my case, when I looked at the shadow copy, it was also infected, and furthermore I didn't have a restore point.

 

So I had to restore my laptop (WIN8) to a factory resetting.

 

Now I have no idea how to decrypt my files on my external hard drive.

 

Can anybody help me with his supercomputer or I can borrow it ?

 

I am willing to pay it



#387 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,953 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:25 AM

Posted 02 October 2014 - 01:36 PM

Cryptowall typically deletes shadow copies with vssadmin.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#388 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:25 AM

Posted 02 October 2014 - 01:38 PM

There is no one here with a quantum computer capable of cracking RSA keys, Sorry.


Have you performed a routine backup today?

#389 zingo156

zingo156

  • BC Advisor
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 AM

Posted 02 October 2014 - 02:20 PM

DWave claims to be a quantum computer, I doubt it very much but it is an interesting piece of equipment. After loads of research, I still can not say if their claims are true. Most of the literature points to DWave quantum computer being no better than a standard modern cpu.

 

http://www.dwavesys.com/quantum-computing

 

If I remember correctly, Google purchased the first one. So possibly quantum computers do exist. Will they crack 2048RSA encryption? I sincerely doubt it.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#390 Sasquatch82

Sasquatch82

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 02 October 2014 - 09:01 PM

Our business was hit ("50" plus computers) and all that has been affected so far is our main data drive on our server. Is there a way I can determine which machine is using it's mapped drive to infect server files? I have checked and run scans on all computers but there are no signs of the virus. At this point I reformatted the drive and I am restoring from back up, but I am unsure if this virus can start again or has it run it's course and perhaps deleted itself? Wouldn't it have infected the "c" drive on the infected machine?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users