Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backing up files from Cryptowall 3. 0 infected laptop


  • This topic is locked This topic is locked
4 replies to this topic

#1 Flippers

Flippers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 03 July 2015 - 09:13 AM

Hello everybody! I have a friend whose laptop was infected by Cryptowall 3.0. The laptop is fairly old but it's still very usable for the usual work. I already told my friend that there's still no decrypter as to date that could decrypt the files that were affected by Cryptowall 3.0.

Basically I want to backup some unaffected files on the laptop and I plan to remove its hard drive and plug it on my PC and perform the necessary things.

Here are my questions:

  1. Will my PC be infected too with the Cryptowall 3.0 virus given that I'll be pluglling the hard drive on my PC? 
  2. Will the encrypted files still carry the virus if I will also backup them?
  3. Is there a way to determine which files are encrypted considering that I'll be using the laptop's drive as secondary drive on my PC?  (Or does running ListCwall program on the affected laptop the only way to determine the files that are currently affected?)

I would really appreciate your help in dealing with this situation. I have had perform several malware removal before but this is my first time to encounter Cryptowall.

 



BC AdBot (Login to Remove)

 


#2 adamforum

adamforum

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 03 July 2015 - 04:43 PM

1. If you remove the drive from the infected PC and connect it to your PC that is not infected, you should be safe provided you DO NOT BOOT from the infected drive.  If you boot from the infected drive, Cryptowall may be active and will now have access to the disks attached to your computer. (Note: i'm not an expert on Cryptowall...I'm erring on the side of caution by assuming that Cryptowall remains active until the ransom is paid.  Possibly it goes dormant after it alerts the user that the files are encrypted, but I cannot confirm or deny that.  I advise using caution and never booting from the infected drive.

 

2. The encrypted files do not carry any malicious code.  You can safely copy/back them up.

 

3. I seem to recall that Cryptowall wrote a list of infected files to the registry somewhere... you'll need to Google to get the specifics.  I'm not familiar with ListCwall, but I suspect it simply reads the applicable registry key value(s).

 

I also recommend keeping an exact copy of the infected drive (before removing Cryptowall).  The exact copy you can stash in case your key becomes available in the future.

 

Good luck,

 

AF



#3 Flippers

Flippers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 04 July 2015 - 02:27 AM

1. If you remove the drive from the infected PC and connect it to your PC that is not infected, you should be safe provided you DO NOT BOOT from the infected drive.  If you boot from the infected drive, Cryptowall may be active and will now have access to the disks attached to your computer. (Note: i'm not an expert on Cryptowall...I'm erring on the side of caution by assuming that Cryptowall remains active until the ransom is paid.  Possibly it goes dormant after it alerts the user that the files are encrypted, but I cannot confirm or deny that.  I advise using caution and never booting from the infected drive.

Do you have an experience similar to this problem before?



#4 adamforum

adamforum

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 04 July 2015 - 12:05 PM

 

1. If you remove the drive from the infected PC and connect it to your PC that is not infected, you should be safe provided you DO NOT BOOT from the infected drive.  If you boot from the infected drive, Cryptowall may be active and will now have access to the disks attached to your computer. (Note: i'm not an expert on Cryptowall...I'm erring on the side of caution by assuming that Cryptowall remains active until the ransom is paid.  Possibly it goes dormant after it alerts the user that the files are encrypted, but I cannot confirm or deny that.  I advise using caution and never booting from the infected drive.

Do you have an experience similar to this problem before?

 

 

I have not been personally infected with Cryptowall, but I do work professionally as a software engineer who deals with a wide range of computer security issues.  I've used the aforementioned technique on numerous occasions to recover data for friends who have become infected with varous types of malware.

 

Good luck.

 

AF


Edited by adamforum, 04 July 2015 - 12:06 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 AM

Posted 04 July 2015 - 02:54 PM


There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users