So, I have a client that was infected with Cryptowall 3.0 and of course, no backups. This was on the server's shared directory...no other directory on the server was affected. It appears that this happened over the network, however, we have scanned all 7 PCs attached to the network, and have been unable to determine which machine it came from...NONE of the machines other than the directory in question have encrypted files nor the files left over by the virus.
So, the ransom was paid (yeah, of course we already know that the ransom should never be paid, but they needed these files...about 28GB of documents). The decrypt tool and private key were sent as stated on the ransom website, and when the software was ran (on the server), it stated that the database wasn't found and to select the folder containing the encrypted files. We did that and it decrypted quite a few files (maybe around 100 to 200 files). All of the files that it found and decrypted were CSV, MOV, MSG, JPG, PS, a couple of (literally 2 or 3) DOT & DOTX files, etc., None of the needed files (DOC, DOCX, XLSX, PDF) were decrypted...in fact, the software isn't even seeing the files at all.
Upon subsequent runs, it simply scans through the directories within 4 to 5 seconds and says COMPLETE.
The twist to this is that all of the DOC,, DOCX, XLSX, and PDF files have a weird ".UXZHCBE" or ".ELQHCBE" extension added to the end of the original extension. Even the TXT file that CryptoWall leaves behind is encrypted.
Upon submitting a question to the Support tab of the Ransom Page, they responded with suggestions on running the decrypt in safe mode, running using "Run as Administrator", and even had me to submit one of the encrypted files to them via sendspace.com. After they received it, they had me to try removing the extension and running the decrypter again... all to no avail. I submitted a couple of more questions to them, and haven't received a reply within the last couple of hours (expected).
While researching this behavior, I also found a Decrypt All Files ELQHCBE and a Decrypt All Files UXZHCBE bitmap in some of the folders...which upon opening states that the files have been encrypted with CBT-Locker.
So, the way things are looking is that these viruses were running around the same time...based on the timestamps of the HELP_DECRYPT files, Cryptowall started around 2:30p and ran until around 8:53P. Then the first CBT-Locker virus which added the ELQHCBE extension started around 4:39P. Then the 2nd CBT-Locker virus started around 5:10P, which added the UXZHCBE to the existing TXT files that were left by the preceding viruses (evident by files such as "Decrypt All Files elqhcbe.TXT.uxzhcbe") as well as some of it's own files (evident by "Decrypt All Files uxzhcbe.TXT.uxzhcbe").
This is truly a CLUSTER-F*CK, however the client is in desperate need of these files.
Anybody wanna take a stab at this?!?!?