Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoWall infection stopped by pulling the network plug? What now?


  • Please log in to reply
6 replies to this topic

#1 Stiv77

Stiv77

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 26 January 2016 - 10:42 AM

Hello everybody,

I'm new to the site but it's been already very useful for me, so thank you in advance

 

Here is my story:

my computer (Windows 7 - 64bit) has been infected by some version of CryptoWall but somehow the malware has not been able to do much damage (yet), or at least so it seems to me. I'll try and be as specific as possible:

 

While browsing (Internet Explorer 11) I received a couple of red alert messages by my AV asking if I wanted to delete or ignore the file(s), and I chose "delete". After that, the infamous CryptoWall popup came out, with the all-too-well-known ransome note (actually I know about it NOW, after reading your forums, didn't know anything until yesterday). Immediately after the ransome note popped up, instinctively I pulled the plug of my Internet connection and closed every running application. The computer has NOT been online since then.

 

Then I deleted the ransome note files present on my desktop (by the way with filename "INSTRUCTIONS_74A474" - different from any other report I have read in the forums - and the usual three extensions) and checked the recycle bin: strangely, all the more recent items were gone (about 20 files), and only the oldest 3 items were remaining, along with the three ransome notes I had just moved to the bin.

 

Then I performed a full cleaning by running CCleaner. Now I really hope this was not a bad move as far as finding the malware is concerned.

 

Then I looked for more ransome notes in my computer, finding some only in the local disk C: directory and in the Appdata/Roaming/Microsoft/Windows/Start Menu/Programs/Startup directory. The latter was empty apart from the three ransome notes. I do not know whether there was supposed to be something there but I guess so. I cannot exclude that other ransome notes could be found elsewhere but I did "look around" quite a lot without finding more of them.

 

Now here is the most important piece of information: no single file on my computer seems to have been encrypted. This was confirmed by running ListCwall (as found on your site). Using USB keys also does not trigger any encryption whatsoever, so that I have been able to use an old USB keys to move anti-malware programs from my wife's laptop to mine.

 

Malwarebytes Anti-Malware (database updated offline at 2015.12.31) found only one item: PUP.Optional.Installbrain.

-> while it was running I could see there were a lot of objects under the pattern programdata/microsoft/crypto/RSA/S-1-5-18, but now I guess this is not relevant, or is it? (seeing the word Crypto was enough to shock me...)

 

 

What do you think might have happened? Did my AV stop the CryptoWall infection or was it me pulling the Internet plug? Some damage has been done for sure (Recycle bin partially deleted and possibly Startup directory as well, ransome notes here and there), but the malware cannot be found - and thus fought - by the standard abti-malware programs.

I am afraid that the malware will start encrypting my files the minute I go back online. How realistic is that in your view?

 

Sorry for the long post, and for any information which should still be missing.

Thank you in advance for your help,

Stefano

 

PS: since USB supports are not affected I should be able to make all the necessary backups in the meantime.

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 26 January 2016 - 12:28 PM

CryptoWall does not change extensions on a file like many other ransomware infections which encrypts a file and adds an obvious extension to the end of the filename. CryptoWall is currently identified by how the files are renamed...it not only encrypts the contents of the file, it encrypts the actual filename itself.

There are several variants of Cryptowall. The original CryptoWall leaves files (ransom notes) with names like DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and DECRYPT_INSTRUCTION.URL. CryptoWall 2.0 leaves ransom notes named install_tor.url. CryptoWall 3.0 leaves ransom notes named HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, and HELP_DECRYPT.PNG but does not change the file extension of the file it encrypts. CryptoWall 4.0 leaves ransom notes named HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML and HELP_YOUR_FILES.PNG. CryptoWall 4.0 also will encrypt the actual filename of an encrypted file as well as the data contained in it. Each encrypted file will have a unique name with random characters (0ausbffwh.p5, 72lcvn.iv6nn, x83o8x.ux7, etc). More information in this BC news article...What you describe may be something new and yes it is possible the infection did not do what it is supposed to do...encrypt your data.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic.

Most crypto ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. However, most victims don't know how long the malware was on the system before they were alerted or if another piece of malware was responsible for installing it. If other malware was involved it could still be present if your antivirus did not detect and remove it.

If you need individual assistance only with removing the malware infection, follow the instructions in the Malware Removal and Log Section Preparation Guide...all other questions or comments should be posted in the support topics. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 26 January 2016 - 12:45 PM

Malwarebytes Anti-Malware...-> while it was running I could see there were a lot of objects under the pattern programdata/microsoft/crypto/RSA/S-1-5-18, but now I guess this is not relevant, or is it? (seeing the word Crypto was enough to shock me...)

%ProgramData%\Microsoft\Crypto\RSA\MachineKey and Crypto\RSA\S-1-5-18 are legitimate sub-folders where Windows stores SSL certificate pair keys for the computer and all users. Whenever a connection is established and a certificate request is generated, a new file is created and stored in that sub-directory.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 AM

Posted 26 January 2016 - 12:50 PM

ListCwall is no longer working anymore unfortunately. I will get that pulled, so please do not rely on that.

If a folder has the ransom note in it, assume that CryptoWall scanned it.

#5 Stiv77

Stiv77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 27 January 2016 - 08:53 AM

Thank you so much for your replies and the useful information provided.

Given that the threat may still be active and that this may have been a new version of Cryptowall, I will definitely ask for assistance in removing this and any further malware, in the relevant forum obviously.

One more question though regarding rebooting: would it be dangerous to reboot my computer considering that ransom notes were found in the startup directory, otherwise totally empty? how normal is it that a startup directory is empty? I lack the experience to tell this. I'm just afraid that rebooting could trigger the encryption or some other damage. Would it be safe at least to do it in... safe mode?

Why on earth should I reboot?
I inserted a new, larger usb key to make backups, and after the short driver installation the system prompted me to reboot in order to save changes (I said no thanks). After this, though, the system is not reacting no matter which usb key I try to insert. So I was wondering, do I have to reboot to go ahead with the backups or could this be avoided? If I have to, should it always be in safe mode?

I hope the situation is clear, please bear with me as English is not my mothertongue.
Once again, thank you!

#6 Stiv77

Stiv77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:54 PM

Posted 01 February 2016 - 03:04 PM

Just a short update: My request for assistance in the Malware removal log forum has been answered! So I am receiving assistance at this time - I will try and apply the suggested measures tonight. Thank you.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 01 February 2016 - 03:18 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users