Recently in my network I had two infections with CryptoWall Version 3.0, so after reading as much as possible about this kind of infection and doing some test I found out some file, that gets deleted right before the encryption starts, that could be handy.
Here is my theory:
The virus get's on the computer and it runs, before it starts to encrypt the file it does erase the shadow copies and restore points, and at some point it needs to generate the public and private key in order to be able to start the encryption. Also because the links in the final page (and on every folder) are ending with some string that is different from one infection to another, that raises the probability that the keys are generated locally, uploaded to a database over the internet, and only after this succeeds the encryption of files starts.
The idea explained before is based on a file discovered on both of the infected computers. It is called Recovery_file_[random chars].txt. I was able to recover with Recuva the files from both computers and what I found inside raised some questions and the before mentioned theory.
Inside the file there are 5 lines with scrambled characters. The last line is matching the ending string from the links from the ransom page/text file, the others could be the private key and the public key with some check sum ??!
What is your opinion on this?
Is anyone who paid the ransom able to send me the Decryption software so I can test the strings found on the encrypted documents?
Edited by computerxpds, 13 August 2015 - 06:30 AM.
Moved to Gen. Sec. from MRL