Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall - A new ransomware from the creators of CryptoDefense


  • Please log in to reply
27 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:09 PM

Posted 08 May 2014 - 05:10 PM

Update 7/10/14:

A guide on all we know about CryptoWall can be found here:

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

--
BleepingComputer.com Staff


 

Towards the end of April the developers of CryptoDefense released a new Ransomware variant titled CryptoWall. This variant is for the most part the same as CryptoDefense other than the name change and different filenames for the ransom instructions. It is speculated that the developers either released a new version because CryptoDefense was too well known by AV vendors or that they sold the code base to another malware developer. Unfortunately, just like the latest versions of CryptoDefense it is impossible to decrypt files that are encrypted by CryptoWall.
 

cryptowall.jpg


When CryptoWall is installed it will scan your computer for data files and encrypt them. It will then create files containing ransom instructions in every folder that it had encrypted a file. These ransom notes are DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and the DECRYPT_INSTRUCTION URL shortcut to the decryption service. Each of these files contains instructions on how you can access the CryptoWall Decrypt Service, which is located at hxxps://kpai7ycr7jxqkilp.torexplorer.com/ URL, and pay the ransom. The ransom is currently set to 500 USD and is payable with Bitcoins. The amount of Btcoins required will change based on their current price.

If you require more information regarding this infection you can ask in our dedicated CryptoWall support topic. This topic contains all information currently available and compiled from victims, malware researchers, and IT consultants. Unfortunately, the support that can be given is quite limited as there is no way to decrypt the files, but we are here to try and help in any way we can.


BC AdBot (Login to Remove)

 


m

#2 Anshad Edavana

Anshad Edavana

  • BC Advisor
  • 2,805 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:39 AM

Posted 11 May 2014 - 12:33 PM

Is it just me or anybody else feels that online currency transactions should be controlled/regulated ?. "Bitcoin" is just like "Dynamit" - invented for good but used for very bad purposes.



#3 jrturnerxln

jrturnerxln

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Odessa, FL
  • Local time:11:09 PM

Posted 12 May 2014 - 02:16 PM

Is their no other way to recover encrypted files?  Once the ransom is paid, what is to prevent the virus from attacking my system again?



#4 malkovichST

malkovichST

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 12 May 2014 - 06:12 PM

I think the only way   is pay ransom. After decrypt u must update all you OS  ( browser , anti-virus, any software like Java etc )



#5 ShoalsWEB

ShoalsWEB

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 12 May 2014 - 11:13 PM

If it helps anyone, Shadow Explorer recovered 95% of the files that Cryptowall encrypted.  Not great and a few will be outdated, but better than nothing at all...  HTH



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:09 PM

Posted 13 May 2014 - 05:04 AM

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense with additional information for those who have been infected.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jrturnerxln

jrturnerxln

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Odessa, FL
  • Local time:11:09 PM

Posted 13 May 2014 - 01:26 PM

Just curious if anyone can tell me how long after the ransom is paid does it take for the un-encryption process to occur?  I'm interested if anyone can explain the process that they had to go through from the time they decided to pay the ransom to the time they were able to recover their files.  I know that there is a confirmation of funds transfer process that takes place which can take several hours from the time USD is converted to Bitcoins and Bitcoins transferred to the Bitcoin wallet of those holding the key.



#8 Cauthon

Cauthon

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 13 May 2014 - 06:02 PM

So, so how does it work? Do they actually write over the files so they cannot be recovered, or do they just mess around with file names and storage records and such, so that the files are still there but the software can't find them? If, as noted above, Shadow Explorer or other software can recover the files, maybe the bad guys are not as rough and dangerous as they might seem. OTOH, if we all work together, maybe we can find the den that the jackals are hiding in, and see if our government could send them a couple of drones to keep them company - maybe something about the size of a B-36 or C-5A:-) Let's put our tax dollars to work doing something useful. How about, for openers, somebody talk to Bitcoin about this?  Just because they like to facilitate activities that the government wants to control or prohibit does not mean they can't track anything if they want to. These people are attacking all of us; let's see if we can get them free room and board in durance vile for a couple of years.

 

And it has been suggested that one reason why we can't decrypt the files is that the hard drive would crap out, long before the computer figured out the key. IMHO, that just means we should first copy the whole mess onto some other storage medium, something that would survive better through many cycles of read and write, and would also enable faster access that would speed up the process.



#9 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:09:09 PM

Posted 14 May 2014 - 03:20 PM

 and see if our government could send them a couple of drones to keep them company 

 

Tell that to Mother Russia, because that's probably where they are hiding.

 

Also, the files are encrypted; even with the most advanced tech a home user could pay for, it would still take hundreds of years to crack the encryption key.


Edited by Kirbyofdeath, 14 May 2014 - 03:22 PM.


#10 BLACKB0X

BLACKB0X

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:09 PM

Posted 15 May 2014 - 02:28 AM

One of our clients came in with this virus. Once the executable was killed off I ran across this tool [ http://tmp.emsisoft.com/fw/decrypt_harasom.exe ] ! This has been a HUGE life saver! Its has successfully decrypted the documents, pdfs, pics, etc. If you want to know more check out this website [ http://www.malwareremovalguides.info/how-to-use-emsisoft-decrypt_harasom-exe ] . 

 

As far as the encryption if you do pay the ransom SOME infections will actually decrypt the files and erase itself. The virus though I have seen some totally screw the infected computer and not decrypt after the payment. I guess its just up to the virus engineer.

 

The decryption doesn't take too too long but i guess it can be a long time depending on the data. Example we got 1.5GB of documents decrypted in about 4 hours. lol.



#11 Jeff6879

Jeff6879

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 16 May 2014 - 01:43 AM

Hi All.

I want to share my experience with two problems. I hope you'll understand me because i'm french.

 

First, two month ago, i helped a client to remove the cryptorbit virus. After 12 hours of research, i find a way to restore manually excel files, and pdf files. Fortunatelly, these were the files my client needed to restore ^^

 

A friend of mine, yesterday, took the cryptowall virus. It seems that she clicked on a link for update flash player. I'm sure she took virus by this way. She told me that the window of the update asking was almost the same as the usual windows of adobe. I tried to restore manually the files like i did beforefor my other client but i couldn't do it.

 

@blackbox : Are you sure that it was the cryptowall virus ??? I tryied the emisoft decrypt_harasom file but couldn't eradicate the encryption...



#12 BLACKB0X

BLACKB0X

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:09 PM

Posted 16 May 2014 - 02:48 AM

Im pretty sure. We had the exact html/txt files as listed above. Also screenshot is exactly the same.



#13 Snowforge

Snowforge

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 19 May 2014 - 10:46 AM

Jeff6879 how were you able to manually restore those documents?


Edited by Snowforge, 19 May 2014 - 10:46 AM.


#14 Jeff6879

Jeff6879

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 19 May 2014 - 12:22 PM

Jeff6879 how were you able to manually restore those documents?

 

Well, I opened the pdf files with a tool called BCtester from QualitySoft ( http://www.qualitysoft.de ). You can with this tool print your pdf files.

For xls files, i follow these steps :

1. Open Excel

2. click the open files button

3. select your file

4. On the Open button, click on the arrow then choose "Open and Repair"

5. When prompt, select "Extract the datas"

6. Once done, another messagebox appear. Don't remember which option to choose ( select one and if fail try the other proposition ^^ )

7. The file open in excel without formatting.

 

Note : These tricks were going for the cryptorbit virus. Not for cryptowall :(



#15 mikrop

mikrop

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 21 May 2014 - 12:14 PM

I've been reading the horror stories of people, being infected with the different variations of the crypto malware.

Why don't you guys start using "Browser in the Box" by Sirrix or "Sandboxie" so that you don't get infected and don't have to deal with this headache?

Some time ago, while I was cruising the web, the monitor went dark and the computer rebooted itself. At that very moment, I knew that something hit my computer. When my computer was back on again, it started playing annoying ads out of the blue. The problem I had was very mysterious so much so that I could not find much lead even at this site. At the time, I tried anything and everything at bleepingcomputer.com and other sites as well, but every single scan would come clean and not find anything at all, but the annoying ads would still continue to play in my computer without any application or any program or even any internet browser, being launched. I monitored everything running in my computer through "HiJackThis" with "nothing" suspicious running in the background. After spending some time, doing some detective work, when I checked "Processes" in Windows Task Manager, I noticed that one of "svchost.exe"s had unusually heavy memory usage. When I right-clicked on that "svchost.exe" and selected "Go to Service(s)", I narrowed the problem down to "DcomLaunch" (DCOM Server Process Launcher). I thought I had a rogue "svchost.exe" and replaced it with a new one. But that did not solve the problem, either. So, the problem was not a rogue "svchost.exe". The annoying ads stopped playing when I blocked internet access to "svchost.exe" with my firewall, which I was still not okay with it because, rather than solving the problem, I just masked the problem. There was no fix for this problem because it is difficult to fix something when every single scanner I tried found "nothing" to fix. What was so weird was the fact that even the fixes, the scanners, and the recommendations of other people, who had the very same problem, did not fix the problem I had. I was like "wow!" because I thought until that point that I was pretty good at fixing computer problems. But I was ready to give up. As a last resort, I did a "System Restore" to a previous day before my computer was infected. And that fixed the problem. I can't claim any victory over this annoying malware because I simply gave up and did a "System Restore" to a previous day, hoping that it would help, and luckily, it did help. Ever since that day, ever since that lesson I had and suffered through, I stopped using "regular" internet browsers. I started using "Browser in the Box" by Sirrix, which was slightly slower, only noticeable when watching high definition youtube videos. Rather than having to deal again with another nasty and annoying malware like the one I had, I was willing to comprise on the speed. Then I tried "Sandboxie" and started running my web browser through "Sandboxie" without any speed issue. Ever since, I've never had issues.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users