Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall 4.0: Help_Your_Files Ransomware Support Topic


  • Please log in to reply
431 replies to this topic

#211 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 23 November 2015 - 10:47 PM

I have just analyzed new sample of CW4 (a9230c5a78b19647e812842d1f45b846) it seems that they

return to the older information image, however without details concerning version. At least 6 CW proxies still works.

 

I can sharing those host files if anyone need it.

I'm interested.

Could you send it directly to the malwr or reverse.it and place here md5/sha?

 

Sorry, you don't have permission for that!

 

[#10226]

You are not allowed to use the private messaging system.


Need Help?

 

I can't send you PM atm

My PM blocked now.

I'm Sorry for that.


Edited by crisis2k, 23 November 2015 - 11:05 PM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


BC AdBot (Login to Remove)

 


m

#212 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:42 PM

Posted 24 November 2015 - 07:16 AM

The PM system is currently disabled, see here.

#213 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 24 November 2015 - 07:35 AM

The PM system is currently disabled, see here.

 

Thank you for your amazing help Alexstrasza

I Never Knew that.

 

Alexstrasza I have a private question for you. I hope you answer me for this

Is Emsisoft Anti-Malware can detecting almost of all Ransomware group efficiently?

like teslacrypt family, Cryptowall 4.0, torrentlocker Etc...

 

You are very Helpful Thanks again!


Edited by crisis2k, 24 November 2015 - 10:37 PM.

:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#214 nico5999

nico5999

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 25 November 2015 - 01:41 PM

I was given a colleague's system that appears to be infected with CW4 -- it has for example HELP_YOUR_FILES.PNG and filenames are random characters and extensions.  They run an old text based database line of business app that uses, among others, .DBF files and have no backup and are willing to pay the ransom.  As a test I tried the single file decryption offered by the ransom site.  It appears to have decrypted the file OK, but it did not restore the filename, leaving a decrypted file with name DECRYPTED-file.DBF.  Without the proper file name, the restoration of the file is incomplete and obviously won't work in the app and trying to guess the original name based on errors in the app for all decrypted files is, well, out of the question.

 

So, does anyone know if the original filenames can be restored somehow (presuming of course successful decrypt process after paying the ransom and getting the decrypter)?

 

Thanks.



#215 PresComm

PresComm
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 25 November 2015 - 02:06 PM

Nico, as far as I know, there is no direct way of determining the file names pre-enryption.

#216 nico5999

nico5999

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:42 PM

Posted 25 November 2015 - 02:21 PM

Nico, as far as I know, there is no direct way of determining the file names pre-enryption.

 

Thanks for the response.  Is it likely (or does anyone know for sure) that the "Decrypt 1 file for FREE" process might differ from the actual program received after paying the ransom regarding the restoration of the filename?

 

Any other advice?

 

Thanks.



#217 Flagman42

Flagman42

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 25 November 2015 - 07:22 PM

Hi,

 

Thanks for this thread it's been helpful. Someone picked up this today apparently from an infected website, they were on a Citrix session and I think I've narrowed down which server and confined the problem to their account... I can't find the .exe though, any ideas where it might be?

 

There doesn't seem to be anything suspicious in \appdata\roaming or local.

 

Thanks again



#218 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 PM

Posted 25 November 2015 - 08:06 PM

Scan the computer with some AV software to be safe, but Cryptowall typically does not leave anything behind once its done.

#219 Flagman42

Flagman42

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 26 November 2015 - 11:36 AM

Scan the computer with some AV software to be safe, but Cryptowall typically does not leave anything behind once its done.

Left scans running all night, I'm going to check them now.

 

We caught it mid encryption, pulled the user off the network and disabled his AD account. So what I am trying to figure out is will there be something left that will resume as soon as we restore his AD account? Hope that makes sense.



#220 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:42 PM

Posted 26 November 2015 - 12:13 PM

The initial installer injects the program that actually encrypts your data into explorer/svchost.exe so it essentially becomes fileless at that point. On reboot that injected code is no longer there and I am pretty sure cryptowall does not leave any autoruns behind.

#221 maxtrix

maxtrix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 26 November 2015 - 01:58 PM

The initial installer injects the program that actually encrypts your data into explorer/svchost.exe so it essentially becomes fileless at that point. On reboot that injected code is no longer there and I am pretty sure cryptowall does not leave any autoruns behind.

We were also infected yesterday (also stopped it mid-encryption).. all scans show no trace of the Malware.  Should the machine be wiped clean? Or can the scans be trusted?



#222 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:42 PM

Posted 26 November 2015 - 03:26 PM

Alexstrasza I have a private question for you. I hope you answer me for this
Is Emsisoft Anti-Malware can detecting almost of all Ransomware group efficiently?
like teslacrypt family, Cryptowall 4.0, torrentlocker Etc...

My opinion is biased, but since crypto ransomware are pretty similar in behaviors Emsisoft's Behavior Blocker technology should be able to stop them.

If you want to confirm it for yourself you will need to install a trial of EAM/EIS and test it with droppers, and I do not recommend you do that if you are not a professional.

#223 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 26 November 2015 - 04:39 PM

...Is Emsisoft Anti-Malware can detecting almost of all Ransomware group efficiently?
like teslacrypt family, Cryptowall 4.0, torrentlocker Etc...

The best defensive strategy to protect yourself from ransomware (crypto malware infections) is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, disable VSSAdmin.exe, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage and routinely backup your data...then disconnect the external drive when the backup is completed.

You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

...Prevention before the fact is the only guaranteed peace of mind on this one.

How do I decrypt files encrypted by ransomware?

Some anti-virus and anti-malware programs include built-in anti-exploitation protection. For example, Emsisoft Anti-Malware uses advanced behavior blocking analysis which is extremely difficult to penetrate...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. Emsisoft has the ability to detect unknown zero-day attacks and file-encrypting malware (ransomware) attacks.

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited, such as web browsers, PDF readers, email clients or MS Office components. This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java.

As with most ransomware...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#224 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 27 November 2015 - 12:09 AM

 

Alexstrasza I have a private question for you. I hope you answer me for this
Is Emsisoft Anti-Malware can detecting almost of all Ransomware group efficiently?
like teslacrypt family, Cryptowall 4.0, torrentlocker Etc...

My opinion is biased, but since crypto ransomware are pretty similar in behaviors Emsisoft's Behavior Blocker technology should be able to stop them.

If you want to confirm it for yourself you will need to install a trial of EAM/EIS and test it with droppers, and I do not recommend you do that if you are not a professional.

 

 

Thank you Alexstrasza.

 

 

...Is Emsisoft Anti-Malware can detecting almost of all Ransomware group efficiently?
like teslacrypt family, Cryptowall 4.0, torrentlocker Etc...

The best defensive strategy is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, update all vulnerable software and routinely backup your data. You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

For example, Emsisoft Anti-Malware uses advanced behavior blocking analysis which is extremely difficult to penetrate...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. Emsisoft also has the ability to detect unknown zero-day attacks without signatures. ESET Antivirus and Smart Security uses Exploit Blocker which is designed to fortify applications that are often exploited, such as web browsers, PDF readers, email clients or MS Office components.

Ransomware Prevention Tools: Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

 

 

Thank you quietman7.


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#225 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,104 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 27 November 2015 - 10:21 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users