Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hit by Cryptowall, but no sign of virus.

  • This topic is locked This topic is locked
1 reply to this topic

#1 matt.o.d


  • Members
  • 1 posts
  • Local time:09:05 PM

Posted 24 September 2014 - 10:31 PM

Hi all, 


We've been hit by Cryptowall. It happened two days ago when we saw the DECRYPT_INSTRUCTION files show up on our network drives. They were all owned by a particular user, so we isolated that users laptop and have been running scans on it. As far as we are aware that is the only machine from which this user has logged in.


However, we cannot find any traces of the virus on this users machine, and none of the files on their laptop's hard drive have been encrypted.


The virus appears to have just hit the network drives mapped on the laptop at the time and nothing else.


We have tried Malware Bytes, the Bleeping Computer listcwall program, Trend OfficeScan (which was running on the laptop at the time), and have gone through the registry and user files looking for anything remotely suspicious and have found nothing... 


Searching across the rest of the network for DECRYPT_INSTRUCTION files hasn't showed up anything on anyone else's machines, neither have Trend virus scans picked up anything.


So what are we missing?? We're restoring files from backup now, but would really like to make sure the affected machine is gone... so it'd be nice to find something to say that this was it.




Edited by hamluis, 25 September 2014 - 10:56 AM.
Moved from Am I Infected to Gen Security - Hamluis.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,767 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:05 AM

Posted 25 September 2014 - 04:24 PM

A repository of all current knowledge regarding CryptoWall is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoDefense does and provide information for how to deal with it and possibly decrypt/recover your files. At this time there is no fix tool for CryptoWall.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

...from the above topic.

CryptoWall victims,

If you are thinking about paying the ransom, have decided to pay, or want to help test a few things for me, Please email me at Decryptorbit@outlook.com or PM me first.

There may be other options for you, or can receive assistance with the infection.

Nathan (DecrypterFixer), Security Colleague Post #273

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users