Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about the Cryptowall virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 malekdarshin

malekdarshin

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 12 April 2015 - 01:12 AM

I was hit with the virus a couple of days ago. I cleared it out using the tutorial on this site (and thank you for that) and saved a lot of my data, but it took a lot of family photos I can't get back. Paying the money is not an option as I just don't have it. The files were located on a secondary hard drive which didn't contain the shadow file.

 

I understand that this is most likely a lost cause, but I have to ask and try to find a solution. I understand RSA encryption for the most part, and that it is almost impossible to break with current technology. My question is should I lose hope about my files as I now hope that one day technology will be possible to break the encryption. I'm hoping in the next few years as earlier encryption types were found to have flaws.

 

Another thing is that I took them up on the offer of decoding one file that they had in the ransom page. Can this file and the encryption be compared to find the decryption key? It would have to be done by someone more knowledgeable than myself, but I wonder if that is a reason to hold out on hope?



BC AdBot (Login to Remove)

 


#2 malekdarshin

malekdarshin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 12 April 2015 - 07:41 PM

Bump



#3 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 PM

Posted 15 April 2015 - 03:47 PM

malekdarshin,

 

Unfortunately there is no way to decrypt your files (as you already know).  Short of some major breakthrough in quantum computing, I would not hold your breath and wait for a solution either. 

 

As for your question about the decrypted files, this does not really help you either.  Sadly, it is not possible to infer the private key based on a known piece of plaintext.

 

Depending on the malware, you might hope that eventually the developers of the malware will be brought to justice and the private keys released back to the public (like what happened with early versions of Cryptolocker). 

 

If this is what you're hoping for, you might just chose to back up the encrypted files and sit on them. 

 

Aside from that, you're pretty much out of luck.  Sorry for the bad news.


//Dave

#4 malekdarshin

malekdarshin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 15 April 2015 - 06:08 PM

Thank you for the reply.

 

I was figuring this would be a longshot. I recovered a lot of what was taken, and fell very lucky for that. I'm hoping that in the next 10 years there will be a break through and I can get my pictures back. I'm not sure if it will be along the lines of a computer breakthrough or just someone much smarter than myself finding a flaw in the encryption process. As I (think) I know past encryption schemes were broken when flaws were found.

 

I read in my research on this that someone already broke the encryption by using a stethoscope and listening to the processor and system fan while a file was being processed. I didn't pay too much attention to this as I was trying to find a useful current solution, but I did make note of it for the future.

 

I didn't know that creators of past versions of Cryptowall were brought to justice. That actually gives me a little more hope. Do they keep the public keys stored pasted the deadline? I wish there was something I could do to help get these guys. Maybe be given a little time alone with them with a pair of pliers and a blowtorch.



#5 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 PM

Posted 15 April 2015 - 08:27 PM

Yeah, this type of ransomware is pretty nasty and frustrating, I'm sure.
 

As I (think) I know past encryption schemes were broken when flaws were found.

 

This is true.  The problem is that modern crypto systems like RSA, AES, etc all rely on aspects of number theory that are very difficult for current computing technology to solve. 

 

I read in my research on this that someone already broke the encryption by using a stethoscope and listening to the processor and system fan while a file was being processed.

 

While I can't speak to this specific example, what you're talking about is a real thing and is known as a side-channel attack.  The goal in this type of attack is to be able to detect the private key, but in this case, the problem is that we do not have the private key.  Beyond that, the level of expertise required to execute such an attack is pretty high.

 

Do they keep the public keys stored pasted the deadline?

 

I can't speak to that.  I suspect they do because if they destroy the private key, that lessens their ability to ransom you for your files, but that's just a guess.


//Dave

#6 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 PM

Posted 20 April 2015 - 09:43 AM

Is there anything else I can help you with, or may we close out this topic?  If I don't hear back from you within 48 hours, this topic will be closed.


//Dave

#7 malekdarshin

malekdarshin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 20 April 2015 - 01:53 PM

I guess there isn't much more that can be done in this post. Maybe before you lock it, if you can let me know where I can be on the lookout for news about if this people are caught and the keys are recovered. I'd hate to miss out on getting my pictures back just because I didn't see a news article.



#8 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 PM

Posted 21 April 2015 - 09:12 AM

 

if you can let me know where I can be on the lookout for news about if this people are caught and the keys are recovered.

 

The closest thing I can come up with is the BleepingComputer News Forum.  If there was some sort of takedown operation that resulted in the release of private keys, I imagine it would wind up there sooner or later. 

 

Moving forward, I would urge you to make backups of all of your critical data to void such problems in the future.  Whether you employ some sort of local backup (using an external hard drive for example) or some sort of cloud-based solution, having a backup is your best defense against this type of threat.


//Dave

#9 malekdarshin

malekdarshin
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 23 April 2015 - 04:16 AM

I made a back up of everything I saved. 3 in fact. I'd been meaning to back these up for a long time, but something always came up. That won't happen again.

 

I'll keep checking in.



#10 The Pugilist

The Pugilist

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:03 PM

Posted 23 April 2015 - 10:01 AM

 

I'd been meaning to back these up for a long time, but something always came up.  That won't happen again.

 

We have all learned that lesson at one point or another, it's never an easy one.

 

I'll close out this topic for now, and if you need more help you can either PM a moderator to have it reopened or you may start a new topic all together.

 

Good luck, and stay safe!


//Dave

#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:01:03 AM

Posted 23 April 2015 - 10:14 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users