Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

I am not an I.T. guy but I feel compelled to share what I did, maybe it helps, maybe not. My home computer began running very slow and Norton began showing my pc usage was too high. I already had Malwarebytes installed, ran it, everythings fine, ran Norton, everythings fine. Ran disc cleaner, defrag anything I had available to me. P.C. still acting funny. Opened Task manager, I didn't recognize some and decided to use MSCONFIG and close all but essential items.Started poking around music files that were not working and came across 2 of DECRYPT_INSTRUCTION and 1 of INSTALL_TOR.Did google search and found out they were really bad. Immediately I went into safe mode and began malwarebytes. It says everythings fine. Than Norton, everythings fine. Then I began manually removing all 3.I took a separate pc to use the internet and search for help. As you all now know there's not much help out there. While in safe mode, I hit start hit computer and did a search for the 2 bad files. There were thousands of hits and I deleted all. I did the same thing for files and folders. Thousands of hits. Deleted them all.Taking note of the times of these files being downloaded to me,  Friday night between 8:39 and 8:52. My computer was on, suppose to be asleep. I was not home. I found this site, went into safe mode with networking  and downloaded Rkill and used it. I went back into safe mode and did all the above mentioned again. The last 2 times I emptied my recycle bin, I deleted over 12,000 files. This doesn't include the other times, so I conservatively estimate I deleted 15,000 files. Its been 2 days and everything seems back to normal. I don't know if Im out of the woods yet, but I am encouraged. I have no idea how I got this. I think I caught it early, there was no icon on desktop. I lost nothing of importance to me. I hope this helps!!!!

dbprime and kaner241 have you found the infected workstation and 'the computer that acted as the source' from your external drive infection?  The reason I ask is I have checked 20+ workstations and cleaned up stuff but have NOT found ANY infected files.  For me ONLY my mapped drive was affected.  Similar to kaner241's issue.   I checked each machine for the suspected reg entries, ran adaware, checked for rootkits with malwarebytes antirootkit... and ofcourse checked each workstation that has a mapped drive to my server (which has no internet access of course, no email, low surface area for attack, for any of the 3 files an they were no were to be found.  Very frustrating, but the bug only took out the mapped drive with no indication of the source PC.  I've used the crypto policy program available in the FAQ mentioned here in the OP on each workstation and the server to, hopefully, prevent a reinfection.

TRJ, if you have not received same, yet

 

to Bleeping Computer!

 

Wow, good effort on your part, glad for the favourable results.

 

It's worth mentioning at this point that RKill was DEVELOPED at BC, and is available at the Downloads Section, click Windows.

 

You won't see me much around areas other than Linux, my passion, but well done, again - hope all others are successful in defeating this woeful beast.

 

I say to The Black Hats - Get a Life. Do something constructive.

 

Wizard

Thank you Wizard, you and others deserve the credit if I was successful!! I read everything I could while fighting this! Thank you all very much and keep up the good work!!!!!

NetFlyer165 - Scanned every machine that was attached to the network and no other files were encrypted.  I did find some malware on three PCs, however, they were very minor issues - nothing that pointed back to CrptoWall.  So far, no other flare ups and I am rechecking the machines daily to see if anything changes.  I actually would feel better if I found a workstation that was infected!

I'm so with you dbprime, I can't believe I can't find the infected workstation...  My server was hit but the infection did not spread past the mapped drive so it HAD to come from a workstation.  I have obvioulsy checked the server and it is clean...

I"m wondering, and off to work today to try the 'listCwall' program offered here on BC... it supposedly lists all the files that have been encrypted from the affected registry.  Doesn't ONE of my workstations HAVE to have an effected registry? I mean even if the other files somehow were not affected.  ONE workstation HAS to be the 'directory' of the decryption with that list or the key they sell you would not work... right?  Unless now the list is being uploaded to them somehow and is nowhere locally... that seems difficult to manage...

I found minor issues on a few PC's also, btw... so I feel we are in the same boat. 

I'm going to run listCwall on all my workstations, I'll report back.

Cryptowall has encrypted at least 2TB of very sentimental data!!!! I've been mourning the loss for days. I refuse to delete the data in the hopes that the decryption keys are seized like they were for some Cryptolocker victims. I couldn't even access the links in the Decryption Instructions if I wanted to pay. Tor browser wouldn't allow me to get to the links either. I wish I could hire a Supercomputer to figure out the decryption code. This is awful.   

On my machine, which is not networked, it occurred to me the virus made its way in by impersonating my antivirus program.

The program suddenly alerted me to a potential infection by adware generic_r.UJ and asked if I wanted to delete certain files. I clicked yes. Maybe the click opened up the machine to infection by Cryptowall.

I gather I will need to do a clean re-install. I have a terabyte external drive I use for backups, usually turned off. I would like to create a folder to store my encrypted files -- against the possibility someone eventually figures out how to decrypt them.

Do I dare light up my external drive and start moving encrypted files over there? Or am I risking the encryption of my backups?

Thank you for your insights. John

leothe3rd and John_H555 - to BC, even under such tragic circumstances, hope you enjoy your time here.

Sorry I can't help a lot with your probs, as I am a Linux user.

 

But consider going over here, and downloading, if you haven't already, ListCWall, or ListCryptoWall. This is BC's own contribution to the fight against this style of cyber crime, and receives kudos around the Net.

 

While you ARE with us, and waiting for answers from those who know better than I, you might consider doing as I (& others) have done. Click my avatar (photo) to view my profile, and read my signature below.

 

Fleshing out your profile (no need to worry about age gender & location if you have privacy issues), and your signature will allow those helping you to understand your environment better, which gives them a headstart and you an answer more quickly. Also useful info for them to check when you are offline and unavailable to answer questions.

 

Netflyer165 who is work affected by this dilemma has undertaken to report back how he finds ListCWall, we'll see what comes of that.

 

For AFTER you've hopefully found a solution, you may want to implement backup strategies that can avoid these Nasties, I have two in mind but I won't go off-topic here in Grinler's zone. I will be writing about them later in the week either in both the Windows area and the Linux area, or in Security, wherever most appropriate. PM me otherwise, but read the Posts.

 

Above all

 

Keep Smilin'

 

  Wizard

Hi,

 

Do I dare light up my external drive and start moving encrypted files over there? Or am I risking the encryption of my backups?

Thank you for your insights. John

 

If you connect the external drive with the infection active on the computer it will most likely start encrypting all the files accessible on the external disk.

 

To be safe use a Linux live CD like Puppy Linux to transfer your data files.

Any of the top techs working on this need any ...wall files?

I have the:

DECRYPT_INSTRUCTIONS.TXT

DECRYPT_INSTRUCTIONS.HTML

INSTALL_TOR

 

I got them off a customer's with no and slow internet access problem. Didn't know it had been hit until I tried to open a pdf.

 

Netflyer165 who is work affected by this dilemma has undertaken to report back how he finds ListCWall, we'll see what comes of that.

 

I have checked 25 workstations with ListCWall and all have come up clean.  I still cannot id the 'smoking gun' computer.
I run either Kaspersky pure or Microsoft Security Essentials with Maleware bytes on each computer.  I have a hardware firewall that does not allow compacted .exe's in or any .exe for that matter... yet still this bug made it through, did it's damage to a DISTANT mapped drive on a server with no internet connection and got the heck out of dodge (left my machine with no trace of itself).  I've been following the European version and it attacked through a hacked terminal services vulnerability (or it is thought), I'm wondering if the same may have occurred but it doesn't seem likely.  Please do NOT let this stop anyone from running ListCWall!  I cleaned up machines before I found ListCWall and there is a very good chance I cleaned the bad entries in the registry with Adaware before I knew exactly what I was looking for.

 

If this happened today to me, the FIRST thing I would have done is run ListCwall on each computer to find the 'director' computer or what should have been the source of the infection.  I would still like someone to confirm if ListCWall confirms this version of the infection though...

And, of course I'm still interested in knowing if anyone else has found the 'smoking gun' on this one.

Also, regarding those saving encripted files for the hope that a decryption may be found: this decryption is based on each of our systems fingerprint, and is unique.  So unless someone figures out the way they used our fingerprints to encrypt the files it will be difficult to develop a decription key.  Furthermore, if you copy the affected files onto an external drive, certainly the map for decrypting these files in the future will not point to the correct path.  eg. if you have any hope of getting these files back w/out paying the fee, then take out the affected drive, put it in a box and save it until a cure is found. 

ListCwall needs to be updated. I will prob pull it tomorrow. I would not rely on its accuracy right now.

Just recently infected with this beast of a virus. Paging through the forum now looking for help but honestly, it doesn't look promising. I plan to keep my files in case someone comes up with a way to decrpyt. Majorly bummed out by this.

 

What irritates me the most is that the process took days, and I didn't even realize what was happening until it was too late. Just my luck to catch the virus with no cure..ARGhh

To all:

 

Normally I come here to due some research only and very rarely post but to be honest I hate this malware! Multiple clients of mine have been hit by this or variants there of in the past month. After reading some of the comments in this post, I figured I would add in my two cents worth.

 

In all instances I have been able to find the "culprit" computer by looking at the owner of the created instruction files on the mapped network shares that were infected. (located under security settings)

 

With all computers that have been infected, I cannot seem to located any trace of the malware, it seems to remove itself once its course has run. As I have only spent approximately 1 hour with each one I cannot say this is a definite but I found no trace of any malware on the computers that were the affected. Only one did I find stuff and its because I believe I interrupted it before it was finished.

 

The best defense against this threat is to backup, backup, backup.

 

I hope this helps someone.

 

And to the mods and those who help others on this site keep up the good fight.

 

J