Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall Infecction


  • This topic is locked This topic is locked
2 replies to this topic

#1 guindi50

guindi50

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Egypt
  • Local time:09:06 PM

Posted 14 September 2015 - 08:38 AM

Hello!

Two days ago I opened a partition on my computer & tried to open any file within a folder in it with any extension but I found out that they were all encrypted (Word, Corel, JPG, TXT, etc...). I found files with the reg extension named as follows:

cc_20150624_155502.reg and cc_20150705_125553.reg

I found also two other files named:

HELP_DECRYPT.HTML and HELP_DECRYPT.PNG as well as a shortcut named HELP_DECRYPT

 

One of reg files contained at its end the following:

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]

"G:\\flashplayer18ax_ra_install.exe"=dword:00000001

 

As well as the following text file:

Attention! All your files are encrypted!
You are currently browsing the content of a pornographic nature, so all your files are encrypted!!!
What happened to your files?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.

More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

 

How did this happen?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

 

You must send 500 USD/Euro voucher Ukash or Paysafecard.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1.http://ayh2m57ruxjtwyd5.abctopayforwin.com/1Q800d1

2.http://ayh2m57ruxjtwyd5.bcdthepaywayall.com/1Q800d1

3.http://ayh2m57ruxjtwyd5.deballmoneypool.com/1Q800d1

4.http://ayh2m57ruxjtwyd5.armnsoptionpay.com/1Q800d1

 

If for some reasons the addresses are not available, follow these steps:

1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en

2.After a successful installation, run the browser and wait for initialization.

3.Type in the address bar: ayh2m57ruxjtwyd5.onion/1Q800d1

4.Follow the instructions on the site.



BC AdBot (Login to Remove)

 


#2 littledemas

littledemas

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:06 PM

Posted 14 September 2015 - 10:29 AM

This happened to me on Friday morning,.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 14 September 2015 - 02:43 PM

- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Cryptowall typically deletes (though not always) all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. Another possible options is to try file recovery software such as R-Studio or Photorec to recover some of your original files but there is no guarantee that will work.

At this time there is no fix tool and Decryption of any CryptoWall Files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. The only other alternative is to save your data as is and wait for possible updates...meaning, what seems like an impossibility at the moment (decryption of your data) there is always hope someday there may be a breakthrough or possible solution so save the encrypted data and wait until that time.

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users