Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crytowall 3.0 or KEYHolder.. Did I get infected by both?


  • This topic is locked This topic is locked
15 replies to this topic

#1 tbird2340

tbird2340

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 July 2015 - 05:04 PM

I had a client that got infected.. No good backups.. Looking to pay the ransom but I show the following in the directories.. How do I know which ransom they need to pay??

 

"how_decrypt.html" opens up KEYHolder decryption info and "HELP_DECRYPT.HTML" opens up CryptoWall 3.0 decryption info..

 

Thanks

 

 

 

Encrypt.jpg



BC AdBot (Login to Remove)

 


m

#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 AM

Posted 09 July 2015 - 05:14 PM

Don't pay ransom,that will "support" their further development. Files are lost forever and there's no way to restore files back.



#3 pcpshaun

pcpshaun

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 09 July 2015 - 05:22 PM

Almost all modern CryptoVirus variants are able to successfully delete any existing volume shadow copies but you may want to open up Shadow Explorer and have a look anyways, to be certain.

http://www.shadowexplorer.com/

 

Firehouse is definitely right that paying the ransom encourages this type of behavior from Malware authors.  If you decide to attempt to pay the ransom anyways please be aware that many times the command and control infrastructure is shut down or black holed by upstream providers and therefore while you generally are able to submit the payment the authors are not always able to provide you with the ability to de-crypt your files in return.



#4 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 AM

Posted 09 July 2015 - 05:23 PM

No one is a fool to pay a ransom,it's a scam ;)



#5 sage19

sage19

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 09 July 2015 - 05:25 PM

You're missing one I think. The random extension is characteristic of Cryptowall yes, but it usually drops DECRYPT_INSTRUCTIONS as its file name. HELP_DECRYPT is usually Cryptolocker. How_decrypt is KEYHolder.

So by deduction of how your files look, you got cryptolocker, cryptolocker file was encypted by cryptowall, then KEYHolder?

Pretty sure paying ransom isn't even an option, your files have been encrypted by my count 3 times.



#6 tbird2340

tbird2340
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 July 2015 - 05:29 PM

Don't pay ransom,that will "support" their further development. Files are lost forever and there's no way to restore files back.

 

Completely agree.. But if a company has THOUSANDS of encrypted files with zero backup what other option do they have?



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 09 July 2015 - 05:31 PM

I just want to say that you can pay the ransom for most Ransomware and you will get your files decrypted. While I do not encourage this (as it encourages the crooks behind it as well), if a company have irreplacable data and they need it in order to survive or else, I could understand if they wanted to pay the ransom.

Edit: Also it seems that these files were encrypted three times: CTB-Locker, Cryptowall and KEYHolder. In any cases, even if you decrypt the files for one encryption, you'll need to decrypt it for the two others. And the decryption must be done in reverse order (from the last to the first).

Edited by Aura., 09 July 2015 - 05:33 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 pcpshaun

pcpshaun

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 09 July 2015 - 05:38 PM

Firehouse and Aura are both right it's definitely a scam, and regardless of that there are situations where paying the ransom may be the best course of action.  I've been called in to consult for companies that have been hit by these type of viruses and occasionally the damage is extensive enough that management will decide that paying the ransom is worth the risk if there is even a five percent chance of recovering the files.  If you are part of a business or corporate environment, and especially a domain environment there needs to be a push for your IT department to implement software restriction policies, software white lists, effective spam and phishing protection, all in addition to a comprehensive backup strategy; as this is generally the most effective way to mitigate these risks.

 

If you are a home or SOHO/SMB user, you may want to consider investing in an online backup service such as BackBlaze or CrashPlan as a cheap and effective way to backup this essential information going forward.



#9 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 AM

Posted 09 July 2015 - 05:39 PM

That's their problem why they don't want to spare few hundred bucks for Acronis TI. Files can be saved on OneDrive/MEGA as well so when they get encrypted,they can download them back.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 09 July 2015 - 05:39 PM

That's their problem why they don't want to spare few hundred bucks for Acronis TI. Files can be saved on OneDrive/MEGA as well so when they get encrypted,they can download them back.


The minding of a corporate IT department is different from the minding of a single home user.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 AM

Posted 09 July 2015 - 05:45 PM

AOMEI isn't even expensive for business.



#12 tbird2340

tbird2340
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 July 2015 - 05:46 PM

So these are three times encryted?? Can someone explain this? These generally come via an email with a bogus attachment, right?

Are you guys suggesting that a user got 3 separate viruses in the course of a day?

Thanks

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 09 July 2015 - 05:48 PM

Depends of the size of your business. For mine we would have to buy it for ... around 5,000 machines? It would come a bit pricey.

So these are three times encryted?? Can someone explain this? These generally come via an email with a bogus attachment, right?

Are you guys suggesting that a user got 3 separate viruses in the course of a day?

Thanks


Well that's my guess. It have the ransom note of both Cryptowall and KEYHolder, yet the appended extension to the encrypted files is a signature move from CTB-Locker/Critroni. I'll wait for quietman's insight on this he sould see this thread soon.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 tbird2340

tbird2340
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 09 July 2015 - 05:49 PM

How would that happen though? Is there a payload that delivers all 3 at one time?

#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:10 AM

Posted 09 July 2015 - 05:54 PM

It is possible to get all three ransomware from exploit kits. In the past they were also downloaded by trojans like Zbot or Poweliks (probably still is).

Edited by Alexstrasza, 09 July 2015 - 05:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users