Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 2.0 - has anyone paid ransom, does it really work?


  • This topic is locked This topic is locked
6 replies to this topic

#1 mickapoo

mickapoo

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 05 April 2015 - 02:54 PM

I'm writing out of desperation. I have an old PC that is infected with CryptoWall 2.0. I have no idea how long it has been on there. After doing much research, I just want to confirm- there is absolutely no way to restore or decrypt the files? I don't have an option to restore the files to an earlier version as it's on XP and I don't see that listed under properties.

 

I have tons of my daughter's baby and early photos, with no back up (I had them on an external HD that failed and before I could transfer them to a new one this CryptoWall stuff happened). I'm in tears as none of the photos will open.

 

Is my only option to pay the ransom, and if I do, will I definitely get the key to decrypt the files? Has anyone actually done this with success?



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 05 April 2015 - 03:33 PM

Hi mickapoo :)

To adress your original question, which is "does paying the ransom will really decrypt my files",, yes it will. You can find that information in the CryptoWall FAQ hosted on BleepingComputer at the link below:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#ransom

Will paying the ransom actually decrypt your files?

Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.


It's not recommended to pay the ransom obviously to not encourage the spreaders of CryptoWall, however I don't think that CryptoWall 2.0 have a working free decrypter, which means that the only way to get your files back is to either:
  • Restore them using the Shadow Volume Copy service, which was probably deleted during the infection;
  • Restore them from a back up you took prior to the infection;
  • Restore them by paying then ransom;
If the first and second options aren't available to you, the only one left will be the third one sadly. I know Nathan (or Fabian) made a post in the CryptoWall Support thread below that says which variants can be decrypted for free and which can't. I'll try to find it for you.

CryptoWall - new variant of CryptoDefense

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 mickapoo

mickapoo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 05 April 2015 - 03:37 PM

Thank you so much for your reply. I don't have a backup so can't restore. I am going to try Shadow Volume but am doubtful it will work.

 

When you said, "I know Nathan (or Fabian) made a post in the CryptoWall Support thread below that says which variants can be decrypted for free and which can't. I'll try to find it for you."

What do you mean by variants? Sorry, I'm not very tech savvy. All I know is it says CryptoWall 2.0. Does that help? I didn't think any of them can be decrypted, so you are giving me hope!


Edited by mickapoo, 05 April 2015 - 03:39 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 05 April 2015 - 03:41 PM

There was variants of CryptoWall that could be decrypted using a free decrypted that was made by some Security Developers here at BleepingComputer, but I'm not sure if CryptoWall 2.0 is supported. I'm trying to look for Fabian (or Nathan) post on it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 mickapoo

mickapoo
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 05 April 2015 - 04:11 PM

I see. Thank you so very much! I'll keep my fingers crossed!!

 

PS I tried to run ShadowExplorer but it said my version of Windows is not supported (XP, service pack 3).


Edited by mickapoo, 05 April 2015 - 04:56 PM.


#6 adamforum

adamforum

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 05 April 2015 - 08:42 PM

@mickapoo Another important thing to keep in mind -- even if you choose not to pay the ransom and none of the recovery options presented here pan out, hang onto your infected computer (or at least its hard disk).  While there is no guarantee, the possibility exists that you may be able to unscramble your files in the future at no cost.  If you don't have the disk with the scrambled files, you will not have that option.


Edited by adamforum, 05 April 2015 - 08:43 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:22 AM

Posted 05 April 2015 - 09:24 PM


A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall (including versions 2.0 & 3.0) does and provide information for how to deal with it. Cryptowall typically deletes all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try. At this time there is no fix tool and Decryption of any CryptoWall Files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

There are also lengthy ongoing discussion in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users