Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

I have seen this twice now on customer machines and can tell you its frustrating on everyones part. I did find that crypto wall 2.0 will infect all folders but one of my clients had a few pictures in just the user profile not in a folder and those pictures were not encrypted. Looks like data can be stored out side of the user profile folders as a precaution at this point. Hope it can help someone.

Beg Pardon, my mistake - crisis2k's reference was about CryptoLocker, not CryptoWall - I should have noticed .

 

Grinler might it help if we moved those references over to eg General Security - CryptoLocker Topics or start a new one there?

 

Cheers

 

Wizard

 

Where's Ctrl-Z when you need it?

sorry for that MR. wizardfromoz i thought you had infected by cryptolocker.. that was my serious fault i beg your pardon

this is what i suggesting to MR. Abrams 

1. this man trying to decrypting cryptowall and cryptodefense in this page have you ever seen this page?

2. it require smartsniff and also hex editor too but it looks like a real one this makes me very interesting

3. it must be still infecting by crypoxxx viruses i could'nt try this way because i don't got any cryptoxxx viruses sample

4. maybe can someone help me for this?

Edited by crisis2k, 28 November 2014 - 01:53 AM.

No need to apologise, crisis2k. I took a brief look at your page link, and it looks interesting, but much of this is beyond my ken, as I don't use Windows.

I would like to know the verdict on that page, though, as if it is kosher, I can report same on my Beat the Blackhats Topic in General Security.

My participation in this Topic has been purely a combination of offering supportive comments to those affected, and asking the occasional "Have you read this link?" type question.

Oh, and I'll fly the flag for ListCWall, developed at BC, which is in Downloads section.

BTW Grinler, can you enlighten us as to the status of ListCWall? Or have I missed notice somewhere? You were going to take it down and revamp it - I notice it is still attracting Downloads, but as I don't use it, I wouldn't notice a version change - but I would like to let my readers know. Thanks

Wizard

I got hit by this virus and lost, as far as I can tell with no chance at this time to recover, 10 years of family pictures, also several important documents and music files. To all those hit by the cryptowall 2.0 I feel for you and all I can recommend is back up all the encrypted files onto a seperate hard drive and save for the day a savior will come with the way to decrypt them.

There was a video I saw of a person who was able to decrypt his own files by isolating the key file that was sent after the decryption took place and then had a copy of the decypher program and a different key. What it looked like he did was alter the key that wouldn't work using the key that his computer had sent and then used that altered key with the decypher program to recover his files. The problem I see with that is A) one mistake and all the files you want to decrypt will become corrupted and no longer able to decypt. The people who did this and even the gentalmen that created this method are not going to just give you the decypher program or even a key that you could alter for free. And finally C) You would have to go through some sort of mess to isolate what file was sent from the computer which holds the key to your computer and for that I have no idea how to do that post getting hit as he only showed the method to use at the time it gets hit.

Now, if you are able to find and follow the hard to understand method he used I recommend this before attempting his method or any other method. Back up all the files first onto a seperate drive and remove the drive from the computer before attempting to mess with the encrypted files that don't have a second one backed up and safe as one wrong move and all your files can and may become corrupted.

I also recommend backing those files no matter what you want to do, even if you decide to fork over $500 before running the scammers decryption program or wait for a savior or try to decrypt them on your own. That way you should only mess with either the original file or the back up. Never attempt to mess with an encrypted file or hard drive with encrypted files on them without a back up of them stored somewhere unconnected to a computer. Because like I said if you make a mistake those files will become corrupted and even if you decrypt it you will have lost the original file because they will corrupt the file so you can't even recover it. Once you get back your file from decryption and it is in perfect order, quickly save all decrypted files else where checking each one to make sure there is not hidden within a file a way for that program to run again to get hit a second time by the same people.

Those who have not gotten hit or have recovered your files I recommend the following. Back up all your information on a drive that is not connected to the computer at all times. Sure you can store files on your computer, but do not pretend that you system is safe with all your anitvirus programs you run on it. All it takes is one mistake and you are in trouble. You can use two drives for back up if you feel it will make it more safe, that way if you decided to hook up your back up drive to back up files at the time you are hit, you at least have a second drive that is free from the encryption. Though I recommend checking the system for viruses prior to backing up and not doing anything other than backing up from the second you hook the drive up to the moment you unplug the drive. That should eliminate the need to have second backup drive. I recommend daily back ups if not weekly depending on the amount of new files you put on the system or the length of time it took to create a document. Back ups are your only savior at this point in time. You cannot do a system restore or file restore because cryptowall 2.0 removes all those. The only thing I might think could possible work would be a system backup if that back up also keeps logs of file recovery dates and times for files but I am not a computer wiz and know exactly what the system backup contains or your configuration of your system backup contains. I just know that a back up copy of the files themselves are better than just relying on a system backup. That way if you have to scrap the system and the system backup is a no winner. Then all that is lost is programs that can be reinstalled than finding out that your system backup can't restore you files to before the system was hit and you have no back up of those files.

Once you are hit with the virus there is virtually very little you can do. If you were not attacked by any other viruses unlike my system was which when I loaded malewarebytes it showed over 2000 malewares on my system. If I was able to recover my OS at that point I wouldn't trust it to be clean. I kept my OS long enough to back up all my encrypted files and to check if I was able to still decrypt those files I ran one file on a different system through their decrypt 1 file for free and it decrypted it and gave that system a new date and time to have files decrypted. (I don't recommend trying to do what I just did on a second system out of curiosity unless you can keep all three of these safe guards 1) the system you are using has not information you want on it or is a brandnew OS installation where if it gets hit it is no big deal. 2) you are not trying to decrypt a file that does copy somewhere else. 3) you have a third system or away to change your computers address which is used by all servers to identify the computers they are communicating with. Note: if you use a computer to decrypt a test file through the scammers system you computer will be taged and loged so they know how long that system has to pay up before they no longer will decrypt your files.)   

I know this is long, but I speak from experience as I was hit and learned now what I could have done better. I was stupid to think my files were safe with my system and all I had to worry about was a drive failure, so I kept 2 hard drives in a RAID 1 instead of just using one of the two drives for the system and computer drive and the other in a external drive not to be attached except to back up or restore.

One good thing to know if you are running windows (which I recommend still storing the decrypted files on a second drive) is that if you do have to reinstall the OS (which I recommend doing if hit by this particular virus) is that you don't have to format the drive with the maleware on it and lose all the other information you might want to recover. You can technically keep all the files on the system and tell the installation software to take the windows OS that was hit and change it's file to windows.old so that all the programs and viruses are now kept from running on the new OS because the new OS won't read the old registry to identify the viruses to run them.
 

If there comes a way to decrypt my files please, please let me know as I have tried everything I could look up to do it. And know that my backups can still be decrypted even if I deleted the original because I that is what I used to test if they could be recovered.

The New York Times this weekend published a breezy, naieve but interesting human interest story about CryptoWall 2.0. 

http://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?module=Search&mabReward=relbias%3Ar%2C%7B%222%22%3A%22RI%3A13%22%7D&_r=1

Among the comments I noticed a suggestion to disable window's inherent encryption tool, the EFS. The idea is, this would prevent the encryption process from going forward.

It seems to me an earlier ransomware virus expropriated the Windows EFS encryption service, but does CryptoWall 2.0 also use it? 

Come to think of it, has this virus been captured before it self destructs?

Thank you for your insights.

John

Edited by John_H555, 04 January 2015 - 06:22 PM.

My home computer was infected with CryptoWall 2.0 in November 2014. I'm almost positive I was infected when I clicked a realistic but fake Java update notification window. I noticed that my computer was running very slow, and the cooling fan was running loudly and continuously. I checked Windows Task Manager and noticed that there were multiple duplicate processes running. I Googled what the files were and came to the conclusion they were virus files. I decided to try right clicking and ending these process. The processes started right back up as soon as they ended which I immediately knew was not right. I started right clicking like a mad woman and choosing 'End Process Tree' instead of 'End Process' which seemed to work better. It actually took a minute or so for the processes to restart. I finally got to the point where the processes didn't restart anymore. I was able to remove the virus and begin trying to repair my computer. 

I was able to somehow stop the CryptoWall this way but not before some of my files and photos were infected. Photography is a hobby of mine and I have my photos listed in folders by year (from 2004 to 2014) but luckily the bulk of my photos are in folders with more descriptive names. I can plainly see where the virus stopped (see attached photo) as encrypted photos don't show a thumbnail view. It did infect some of my programs (Outlook, anti-virus, Photoshop CS 5.1 - but oddly NOT my Photoshop Elements ) but for the most part I have been able to fix or re-install these and my computer remains functional. Luckily I had most of my photos (except for about 6,500 of them that were in 2012 and 2013) backed up on an external hard drive   I didn't have Shadow copy activated so I didn't have that option, and I couldn't find any backup copies - but I also don't have the knowledge to know if there are backup copies located in places other than the obvious ones.

 Anyway, long story short, what I was wondering is if there is a way to recover files if the virus did NOT run it's full course. And if so, is there a recommended data recover program that works better for this type of virus.

Side note..... I never got a notepad window notifying me that my computer was infected or anything similar. I do see that the folders that were infected contain the 3 files typical of CryptoWall  (DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION). I have a Sony Vaio F Series laptop running Windows 7 Home Premium.

Thank you in advance for any information or guidance you can offer. 

Hi bsaunders, and to BC.

If you go to Forums - Security, and click "Am I infected?" - you may get assistance from this site's MRT (Malware Response Team).

Also in Security - General Security, you will find a number of Topics about Cryptowall. The one titled Cryptowall - new variant of CryptoDefense is 59 pages long currently, you may have a lot of reading to do.

I cannot help, as I use entirely Linux, but I wish you luck.

BTW if you go to Home and the News Page, you will see you can upgrade to Windows 10 for free.

Wizard

Edited typos

Edited by wizardfromoz, 22 January 2015 - 11:33 PM.

I know it has been years since the release of Cryptowall 2.0 but I have a few questions.

1. If we are hit by this, does this mean they will forever has access to our files? Meaning, can they look through our files? Or do they just encrypt/delete them?

2. Is there any decryption tool or key made available yet? I still have a good amount of encrypted files with no backup.

Thanks