PDA

View Full Version : CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ



PorkChopSandwiches
10-16-2014, 07:13 PM
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

We got hit with this last night. One user infected, then it went through every drive mapping he had and encrypted all of our files.

We were lucky to get an older variant that didnt have this "feature"


Note: Newer variants of CryptoWall will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method

So I was able to restore from a shadow.


http://www.pcworld.com/article/2688992/malvertising-campaign-delivers-digitally-signed-cryptowall-ransomware.html


The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.


Its nasty, make sure your backups are in order

Teh One Who Knocks
10-16-2014, 07:20 PM
Yeah, I've read about this...if you get hit with the version that deletes that shodow files, then you are basically fucked unless you have backed-up all your files really recently. The only way to decrypt them is to pay the ransom.

Do you know how the person got infected? Bogus e-mail? Visited a shady website? Downloaded something they shouldn't have?

PorkChopSandwiches
10-16-2014, 07:28 PM
No, we searched the internet history, nothing out of the ordinary. But, it really could have come from any normal browsing


Several websites in the Alexa top 15,000 list were affected by this latest malvertising—malicious advertising—campaign including hindustantimes.com, the site of Indian daily newspaper Hindustan Times; Israeli sports news site one.co.il; and Web development community codingforums.com.

Goofy
10-16-2014, 08:04 PM
Sounds like a fun challenge....... i'm game :tup:

PorkChopSandwiches
10-16-2014, 08:06 PM
Want me to send it to you :twisted:

Goofy
10-16-2014, 08:16 PM
Just after i read your post i got an email Porky :mrgreen:

PorkChopSandwiches
10-16-2014, 08:57 PM
:lol:

Hal-9000
10-16-2014, 09:14 PM
so good or bad I use Norton internet security....the suite has changed so much from 5 years ago you'd think it was made by someone else...the protection, light resources it uses....really can't tell it's running even when opening rar's or moving files..

Norton tends to update their protection quite quickly...like within 24 hours of a reported outbreak of crap like this...

should I be worried PCS?

PorkChopSandwiches
10-16-2014, 09:22 PM
Its super easy to get and not easily detected until its to late


The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.

Hal-9000
10-16-2014, 09:24 PM
Yeah, I've read about this...if you get hit with the version that deletes that shodow files, then you are basically fucked unless you have backed-up all your files really recently. The only way to decrypt them is to pay the ransom.

Do you know how the person got infected? Bogus e-mail? Visited a shady website? Downloaded something they shouldn't have?


so the malware/virus creators are so blatant they actually ask for a payment to get your files back?

you would think someone could tag them from the payments..

Pony
10-16-2014, 09:36 PM
I ran into the old version awhile back on a friends laptop. It encrypts your files and puts up a timer to tell you how long you have to pay up or it will delete the decrypt keys. I actually lucked out and managed to remove it by booting into safe mode and running Malwarebytes. To my surprise 90% the files were still there and accessible after. I was expecting to lose my buddies 500GB of music and music video. (he's a DJ)

Nasty piece of work that is. Good luck Porky!

Hal-9000
10-16-2014, 09:47 PM
Thanks Pony...was just trying to imagine if they would want to hit an average home user and do that to their files...

I have the free version of Malwarebytes (no real time protection) so I may do a full scan tonight just to be safe

Muddy
10-16-2014, 09:49 PM
I ran into the old version awhile back on a friends laptop. It encrypts your files and puts up a timer to tell you how long you have to pay up or it will delete the decrypt keys. I actually lucked out and managed to remove it by booting into safe mode and running Malwarebytes. To my surprise 90% the files were still there and accessible after. I was expecting to lose my buddies 500GB of music and music video. (he's a DJ)

Nasty piece of work that is. Good luck Porky!

You and your titty bar friends.. :mrgreen:

Hal-9000
10-16-2014, 09:50 PM
and thank you number 666 for Porky! :dance:

PorkChopSandwiches
10-16-2014, 10:18 PM
so the malware/virus creators are so blatant they actually ask for a payment to get your files back?

you would think someone could tag them from the payments..
They make you pay into multiple bitcoin accounts


I ran into the old version awhile back on a friends laptop. It encrypts your files and puts up a timer to tell you how long you have to pay up or it will delete the decrypt keys. I actually lucked out and managed to remove it by booting into safe mode and running Malwarebytes. To my surprise 90% the files were still there and accessible after. I was expecting to lose my buddies 500GB of music and music video. (he's a DJ)

Nasty piece of work that is. Good luck Porky!
We got it sorted because I fucking crush at this shit :lol:


A lot of people just pay, they have collected a million in payment all ready

Hal-9000
10-16-2014, 10:27 PM
We got it sorted because I fucking crush at this shit :lol:


right on :lol:

Loser
10-17-2014, 04:56 AM
I know of one anti virus it can't break past...

Ubuntu... :lol:

Teh One Who Knocks
10-17-2014, 10:02 AM
We got it sorted because I fucking crush at this shit :lol:

You mean because it was the version that doesn't delete the shadow files :nono:

PorkChopSandwiches
10-17-2014, 03:19 PM
You mean because it was the version that doesn't delete the shadow files :nono:

:lol:

We had a backup, it infected it as well :oops: