Original CryptoWall Ransomware Support and Help Topic - DECRYPT_INSTRUCTION.html

Try to boot from hiren cd and see deleted files in user/appdata/roaming/tempor on user/appdata/local/temp
There should be several deleted files. One of them having 'key' in the name. Can you see it?

I took my problem just like I look at stuff that breaks around the house. Ponied up the ransom yesterday.
The decrypter did not run very well when i first tried it. There were some conflicts and it would stop. I had over 31,000 files to decrypte.
This morning I started the decrypter in safe mode. So far it is decrypting about 3000 files per hour.
I hate the fact I had to pay these criminals, often times I feel the same about paying my taxes. I'll post if I get a complete system back.

Update. Decrupter has slowed. Ran all night and decrypted 1800 files. This could take awhile.

Hello I am new to this forum. Sorry for my English, I am french.

I'm here to share my experience on crypto virus. First of all I can tell you that in some case it might be possible to recover some parts of a .doc file ( Microsoft word ).

I am a computer tech and recently I had two customer who have been infected with cryptowall virus. One of them didn't have any backup and really wanted to recover his files. Where I work, we use a software called Ontrack easy recovery for data recovery on broken hard disk. In this software, there is an option to recover Microsoft office files ( word excel powerpoint... ) I tried to recover .doc files and it kinda worked. Easy recovery was able to extract some data from the encrypted files. In the recovered files, about half of the text was missing. There was no more bold, italic or colored font.

 

I used Ontrack easy recovery 6.03 to recover the files. It's an old version compatible with Windows XP ( Don't think it works with Windows 7 ) I also tried easy recovery 10.0.2.3 and it didn't seems to have the option to recover office files. I also tried it with .xls and it didn't worked.

 

Update. Decrupter has slowed. Ran all night and decrypted 1800 files. This could take awhile.

I don't know if it helps, but I am running the decrypter in several folders at the same time.

 

Update. Decrupter has slowed. Ran all night and decrypted 1800 files. This could take awhile.

I don't know if it helps, but I am running the decrypter in several folders at the same time.

 

 

Whilling to share the drecypter for analysis ?

Rony,I would like to try it. In safe mode or windows?

I too purchased the decrypter and am running it.  So far the files do open correctly with all content.  The decrypter is a zip file with an executable and a ****.key file.

 

 

Update. Decrupter has slowed. Ran all night and decrypted 1800 files. This could take awhile.

I don't know if it helps, but I am running the decrypter in several folders at the same time.

 

 

Whilling to share the drecypter for analysis ?

 

Yes I will share the decrypter, but first I need to finish the decryption, I don't want to connect anything to the infected computer (internet, USB). 

It should be ready through the weekend.

Rony,I would like to try it. In safe mode or windows?

You can do it in normal mode. you can open the application many times. Just run it several times, and in each window select a different folder to decrypt. (Again: i don't know if it speeds the procedure up)

 

Rony,I would like to try it. In safe mode or windows?

You can do it in normal mode. you can open the application many times. Just run it several times, and in each window select a different folder to decrypt. (Again: i don't know if it speeds the procedure up)

 

Each application is taking 25% of my CPU Usage, so optimally I am opening 4 windows to decrypt simultaneously 

I'm hoping that somebody who has paid the ransom can upload the Decrypt software (decrypt.exe) and secret.key files so that me and other users can at least try to decrypt our files without paying these criminals. I know it's unlikely but it's worth a try!

Please do so!

So i'm an IT professional that has brought on a new client with a CryptoLocker variant. There are no known backups or shadow copies and it infected some network data. So that being said, we went ahead and paid the ransom.

 

However after we have entered the details, the payment screen has not went past "waiting for activation of payment" until about 20 hours later in which we received a notice saying we couldn't contact the server. After 10 hours more of that screen, we went ahead and restarted the PC and are now still receiving a "Waiting for activation of the payment" message.

 

Please advise.

 

Additional Note: We didn't have a decrypt file anywhere, everything was isolated within an exe file.

Edited by joker8784, 31 May 2014 - 12:25 PM.

I have 2 new additional and interesting stories to tell:

 

- I have paid the ransom mainly for 1 important folder containing DBF files. All of those files were encrypted on the same date same time, so we are pretty sure that it's the same virus that has hit them all. However the decrypter has successfully decrypted ca. 400, but did not recognize another 300 of those files!

After several tries, it was impossible to decrypt them with his decrypter. (AND THIS IS A NEGATIVE REVIEW FOR THE PEOPLE WHO WERE SKEPTICAL ABOUT PAYING THE RANSOM! although it successfully decripted 97% of the infected files)

 

Now the interesting part:

 

- I went to the instruction page (where I have followed the steps to pay, etc.) and clicked on the 'support' tab, and sent him my complaint.

I got a reply a couple of hours later onto my email (which I gave him).

 

Conversation between me and the support via emails:

 

*Him: Hello, can you please send to me any of  file which you can't decrypt

*Me: Yes sure. Here are 2 examples attached. I have 311 files in this folder that were NOT decrypted (all have the modified date when the virus started). In the same folder 448 files are decrypted.I hope it works because I have paid a lot for those files.

*Him: i try open files with this programm dbfviewer.com .   Try please  ,  you files did not crypted with cryptowall  ( may be it was crypted with different cryptovirus but 100% not cryptowall) . May be you was infected twice , did you see any banner that your files was crypted ?  ( different of cryptowall)

*Me: No, I am only infected with the Cryptowall virus, no other banners. All the DBF files in this folder are encrypted on the same date and same time. Your decrypter decrypted 448 dbf files in this folder, but the other 311 are not detected by your application. I tried, DBFviewer did not open the files, of course because they are encrypted. I really need a solution because those files are why I have paid the 1000$ ransom.

 

So far, 2 days without any reply. Through Monday if I get no solution I will conclude that the decrypter is not fully functional. I will keep you updated on this one.

 

joker8784 try to send a msg to the support.

 

On Monday I will try to upload the decrypter.exe and the key.

 

More interesting stuff? as you might have been asking yourselves, the email I got replied from is: cw_support@torba.com

 

Thank you for reading all the way. If you have any ideas or hints to recover my DBF files, please reply.