Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomed in 2013 and gave up, still have files, able to decrypt now?


  • Please log in to reply
10 replies to this topic

#1 Irishwake83

Irishwake83

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 August 2017 - 10:13 AM

As the title says I was ransomed in 2013 (maybe 2014 I can't quite remember). Either way I didn't pay, cleaned my computers and moved on with life. 

 

I was going through old drives yesterday and restoring old files and came across one of my drives that had been infected and saw a bunch of folders / files that I had lost. I noticed quickly that there are several "decrypt cryptolocker" sites up now however the main one I wanted to try was taken down in late 2014 and the virus ID didn't recognize anything with my files. 

 

I tried - https://id-ransomware.malwarehunterteam.com/identify.php and it says it doesn't know what my files are infected with.

 

The extensions and filenames are unchanged but they just don't open in their respective programs.

 

Is there any hope for these files 4 years later?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,513 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 PM

Posted 22 August 2017 - 11:14 AM

If it was truly that long ago, it was probably the original CryptoLocker, or a CryptoWall variant; both are not decryptable. Any sites claiming to decrypt them are scams or just tell you to restore from backups.

 

The only way to know what it actually was is with a ransom note, or if you have a screenshot of the background or something. If the files have no extension or filemarker, there's not much else to go on.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Irishwake83

Irishwake83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 August 2017 - 11:19 AM

Yeah I've been looking for a ransom note, haven't come across one yet. I tried searching for txt / html / htm but haven't seen anything. I feel confident it was cryptowall based on what I remember.



#4 Amigo-A

Amigo-A

  • Members
  • 533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:09 AM

Posted 22 August 2017 - 12:06 PM

Irishwake83

The year can be learned from the Properties of the file, when he was canged by crypto-ransomware.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 Irishwake83

Irishwake83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 22 August 2017 - 12:26 PM

September 6, 2014



#6 Amigo-A

Amigo-A

  • Members
  • 533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:09 AM

Posted 22 August 2017 - 12:36 PM

September 6, 2014

 

At this time, Cryptowall was very active.

Link: https://www.bleepingcomputer.com/forums/t/532879/original-cryptowall-ransomware-support-and-help-topic-decrypt-instructionhtml/ 


Edited by Amigo-A, 22 August 2017 - 12:42 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 22 August 2017 - 06:51 PM

CryptoWall does not append an obvious extension to the end of encrypted filenames.

There are several variants of CryptoWall. The original CryptoWall left files (ransom notes) named DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and DECRYPT_INSTRUCTION.URL. CryptoWall 2.0 left ransom notes named install_tor.url. CryptoWall 3.0 will leave ransom notes named HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, and HELP_DECRYPT.PNG CryptoWall 4.0 will leave ransom notes named HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML HELP_YOUR_FILES.PNG, and HELP_FILE_[random number/letter].HTML. CryptoWall 4.0 will encrypt the actual filename of an encrypted file as well as the data contained in it. Each encrypted file will have a unique name with random characters (0ausbffwh.p5, 72lcvn.iv6nn, x83o8x.ux7, etc) as explained here.

encrypted-files.jpg

CryptoWall is currently identified by how the files are renamed...it not only encrypts the contents of the file, it encrypts the actual filename itself. CryptoWall 3.0 and 4.0 encrypted files typically will have the same 16 byte header which is different for each victim.

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0, CryptoWall 3.0 & CryptoWall 4.0 is provided by Grinler (aka Lawrence Abrams), in the: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Irishwake83

Irishwake83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 25 August 2017 - 02:03 PM

The original CryptoWall left files (ransom notes) named DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and DECRYPT_INSTRUCTION.URL. 

 

I remember those file names, so there is no hope left for these? 



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 25 August 2017 - 05:38 PM

Unfortunately, there is no known way to decrypt files encrypted by CryptoWall without paying the ransom since there is no way to retrieve the malware developer's private key that can be used to decrypt your files. The only methods you have of restoring your files is explained in the FAQ: How to restore files encrypted by CryptoWall...but there is no guarantee that will work.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 HelpPlease44

HelpPlease44

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 02 October 2017 - 11:19 AM

I know it has been years since the release of Cryptowall 2.0 but I have a few questions.

 

1. If we are hit by this, does this mean they will forever has access to our files? Meaning, can they look through our files? Or do they just encrypt/delete them?

2. Is there any decryption tool or key made available yet? I still have a good amount of encrypted files with no backup.

 

Thanks



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 PM

Posted 02 October 2017 - 12:15 PM

When dealing with ransomware, there is no way to know for sure if the cyber-criminals actually steal any of the data or sensitive file information for further criminal activity but I am not aware of any such cases. Rather than the content of your data, they are more interested in obtaining a ransom payment for financial gaing. These criminals are in business to make money and make it fast, then move on to the next victim. Although some criminals may threaten to release (expose) information if victims do not pay, uploading someone's data for such nefarious purposes takes too much time and could leave a trail for law enforcement authorities.

And there is still no known way to decrypt files encrypted by CryptoWall without paying the ransom .
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users