Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CRYPTOWALL INFECTION


  • This topic is locked This topic is locked
5 replies to this topic

#1 HOTWAFFLEWOMAN

HOTWAFFLEWOMAN

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 03 August 2015 - 09:28 AM

hi, haven't posted before but looking for some advice for the layperson on how best to approach a contaminated Dropbox that's shared across a number of devices.  By no means tech savvy  but can digest and carry out simple instructions! Have contacted my internet security provider Bullguard, but still waiting on a reply. I have a number of  pcs within a charity outfit ( I'm based in  Scotland www.afasicscotland.org.uk) and a bit unsure if we should actually use the pcs /laptops which share Dropbox files and if we also risk infection across devices, remote or otherwise. Assuming we get the malware removed, is the only option to lose the files and only try to recover older versions? Any advice would be appreciated - these issues are so challenging and completely unfamiliar territory for the unsuspecting user. Trying to effect a solution but damage limitation being the key thing. I don't want to lose files if at all possible. Unfortunately I have no back up regime in place ( I blame the administrator ..his life will hang precariously in the balance until virus outcome known)  that gives me access to externally stored ( current-ish! or current -enough! files. I have spent the last week working my fingers to the bone typing away funding applications for the charity which are all sitting in semi-complete stages..yes, it would have to happen at the most critical time..)Thanks in anticipation. Very best regards, Arianna



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 03 August 2015 - 02:54 PM

Hello Arianna,

My name is Alexstrasza and I will assist you with your problem. You can call me Alex :)

Please allow me some time to consult with my instructor, and I will be back with more information.

In the meantime, please let me know if you need help removing the infection or not.

Regards,
Alex

#3 HOTWAFFLEWOMAN

HOTWAFFLEWOMAN
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 05 August 2015 - 08:53 AM

Hi, I received an email from you and replied to that. I indeed need some more help. Bullguard has initiated a painfully slow process of requesting scan logs and we are still waiting for further instructions.  Bottom line is we've run the Bullguard scan, followed by Combofix scan, which has been sent to them directly. I have essential files which are all stored on dropbox, all encrypted. Dropbox is used across say 10 other devices and we all need access to the most current version. i can see how to restore files to previous versions but really need something better than this solution if at all possible. Granted, we didn't have external backup regime, neither did we systematically scan for infections etc other than having software running in the background.  That said, we are where we are. is there something we can employ to get the key files back? I'm at a critical funding time and I can't access the necessary data  - panic setting in as working to a deadline. Also, wanted to determine if accessing any files will do further damage.

 

I have determined the pc which had the email attachment with cryptowall - can see we received this on the 20th July despite being unaware of it until several days ago. I'd like to know why it wasn't picked up by Bullguard although looks like it had been junked but it was picked up as a potential legit email and opened that way.

 

If you could give me any advice/guidance on how best to proceed that would be great. Obviously have the scan logs if helpful. If you can let me know if I should respond to you only via the forum that would also be helpful. Thanks !



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 06 August 2015 - 08:26 AM

Hi Arianna,

Since you are already working with Bullguard, it is best that only one person works on your machine at a time since multiple helpers can cause confusion for both sides.

I can take a look at the machine after you have finished working with them. However I can answer your questions.

Dropbox is used across say 10 other devices and we all need access to the most current version. i can see how to restore files to previous versions but really need something better than this solution if at all possible. Granted, we didn't have external backup regime, neither did we systematically scan for infections etc other than having software running in the background. That said, we are where we are. is there something we can employ to get the key files back?

To retrieve the current version you will need access to the private key, which is in the hands of the criminals controlling the ransomware unfortunately. There is no way to get it without paying - your best bet is to check the previous version and see if it has the contents you need.

Also, wanted to determine if accessing any files will do further damage.

The ransomware should be gone when it finished encrypting your files, leaving behind the ransom notes and encrypted files - attempting to access them will not cause further damage.

I have determined the pc which had the email attachment with cryptowall - can see we received this on the 20th July despite being unaware of it until several days ago. I'd like to know why it wasn't picked up by Bullguard although looks like it had been junked but it was picked up as a potential legit email and opened that way.

The CryptoWall file is packed (encrypted) and thus went unnoticed by your antivirus software. Unfortunately most modern AVs are rather ineffective against crypto ransomware, at least before it encrypts your data.

If you can let me know if I should respond to you only via the forum that would also be helpful.

Please post all replies to me on the forum, as you cannot reply to the mail and assistance outside the forum is not allowed.

Let me know how you want to proceed.

Regards,
Alex

#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:09 PM

Posted 10 August 2015 - 07:23 AM

Hello,

Are you still there? It's been three days since my last post.

Regards,
Alex

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:09 PM

Posted 12 August 2015 - 11:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users