Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 3, list all files currently encrypted


  • Please log in to reply
11 replies to this topic

#1 pettys

pettys

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 May 2015 - 09:20 AM

Although CW3 writes the list of all encrypted files to the registry (which you can get from ListCWall), our attempt to restore those from our backup was incomplete. We ended up with encrypted and unencrypted files all mixed together and needed a way to find out what was still encrypted.

 

This open source tool I wrote solved this problem for us. If it's something useful to you, feel free to use it; if you need it to do something it currently doesn't, add an issue to the github project and I'll try to help you out.

 

https://github.com/pettys/CryptoWall3Finder/

 

I also needed a way to recover previous versions of encrypted files that are sync'd with Google Drive. I was able to create a script to do this automatically through Google Drive's API. I don't have the source available for that, but if it's something you need I'll see if I can make it available to you.


Edited by pettys, 27 May 2015 - 10:40 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 27 May 2015 - 09:34 AM

Hi pettys :)

Lawrence Abrams (aka Grinler), the Founder and Owner of BleepingComputer also wrote a small utility for that, with the help of a member here on BleepingComputer. It's called ListCWall and it has been available for a few months now. Here it is:

http://www.bleepingcomputer.com/download/listcwall/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 pettys

pettys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 May 2015 - 10:31 AM

Hi Aura. That tool does a different job than this one. Listcwall reads the registry of all files originally encrypted. This tool does a file content scan to detect all files currently encrypted. This difference was important to us once we had a partial restore. We knew we had recovered many files that were once encrypted, and needed a new list of all files that were still encrypted. Listcwall couldn't help us with that.

 

Does that make it clearer why this tool is different than Listcwall?



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 27 May 2015 - 10:33 AM

Now it's clear, because this statement wasn't:

our backup strategy was a little loose so we ended up with a mixture of encrypted/unencrypted files and needed a way to find out what was still encrypted (ie, what encrypted files had also been sync'd with our backup solution, and so we would have to dig a little harder to recover?).


I didn't understand that you restored a back-up and ended up with both encrypted/decrypted files.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 pettys

pettys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 May 2015 - 10:39 AM

I can see how that wasn't clear, and edited the original post to avoid the confusion. Thanks for the feedback!



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 27 May 2015 - 10:45 AM

No problem :) Do you plan on making this small utility more user-friendly? Since right now, we have to grab the source, modify it and recompile it? Also, what's the .NET dependency? Also, will you create another utility that can be used to find the 16-bits unique to your system?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 pettys

pettys
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 May 2015 - 10:58 AM

If it generates any interest I'll put a little more work into being more user friendly. It uses .NET 2.0. To make it more user friendly I'd add a "training" command line switch where you can feed it a known-bad file to easily get the 16-byte pattern on your PC.

 

For now I thought I'd just raise a flag on this thing and see if anyone else could use a tool like this -- I'm hesitant to polish up something that maybe no one will ever use. Maybe everyone else has more solid recovery techniques than we did. :)



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 27 May 2015 - 11:04 AM

I wouldn't mind using it if I needed to so there's that! :P But yeah, adding the features above would be really interesting if people start using your tool.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:39 PM

Posted 29 May 2015 - 06:26 PM


Thank you for taking the time to visit us and explain CryptoWall3Finder.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 cdssmiths

cdssmiths

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 18 June 2015 - 10:11 PM

I'm baffled by ListCWall's report of "no files" on five computers that have been hit by CrytpoWall 3.0.   Most of the files that we've found so far were on network drives, not sure if that mattered.   Also, we did not run the utility as "Administrator".   Desktops were Windows 7.   File server was Win2003.    Thoughts, insights, suggestions welcome.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 19 June 2015 - 05:21 AM

Hi cdssmiths :)

If you have questions about ListCWall, you should post them in the Cryptowall Support Thread (since ListCWall have no dedicated thread to it and is specific to one family of Cryptoware).

Cryptowall - new variant of CryptoDefense

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:39 PM

Posted 19 June 2015 - 06:37 AM

You can also ask in this topic created by Grinler, the developer of ListCWall.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users