Cryptowall virus/malware

Lighters

Lighters

Lighters

Associate
Joined
11 Jun 2006
Posts
1,569
TLDR: Can I retrieve decrypted / unreadable word documents for UNI work?

My girlfriends laptop has picked up rootkit/malware/virus and its really nasty.

Basically taken control of all her files such as word documents for UNI and encrypted / locked access so I cant open them.

All backups she had such as google drive or memory sticks are also infected so I cant recover any of the files even if I was to remove it.

Read up on: http://www.precisesecurity.com/rogue/remove-cryptowall

I have tried a system restore which failed and also tried to restore previous versions of files and tried a program called shadowexplorer which failed to work.

Is there anyway I can recover her document work files without paying to decrypt?
 
Did you try the steps in that link you've posted? I know you say you tried System Restore and shadowexplorer, but that link has the details for a Kaspersky rescue USB that should work.
 
We had this at one of our customers, luckily we had an RDX backup
But we tried for arguments sake, to see if we could recover those said files if we didnt have the backup..
In short, NO!
Its a *** Fully star your swear words *** - Will Gill of a virus, we tried numerous things, many claiming on google to 'work' but they didnt...
Sorry buddy its pay up, or say goodbye to those files.
The virus itself is so easy to remove, but by doing so you will lose access to files unless you pay an even higher figure
 
I know thats what I am so mad about, the virus to remove is very easy but the restore points only go to the start off this month!

All her online backups are also infected so suffer the same problem. Same with her memory sticks :(

I had overlooked the kaspersky thing, will do it now
 
The only other thing.. Not going to be that much of an help
But if she emailed any documents to herself, friends etc some can be recovered that way

Looks like your girlfriend as opened an hmrc, natwest, hsbc, amazon email
I know its easy after the event, but i created a reg edit file that stops my outlook showing zip files.. It just strips it from the email
 
Hopefully she had a few versions of google drive she can access but this thing literally infects every version possible, its all over every memory stick and cloud storage backup she has :/

Tried that kaspesky bootdisk thing, that was to remove the virus only and not recover files :'(
 
I suppose its not too bad for myself lol, I had convinced myself that cloud storage was the only backup I needed. Havent done a hard backup since 2013...

I use multiple cloud storage services but after this think I may go back to saving the odd DVD with my files lol
 
Your only hope is to download the virus, use wireshark and make a visual basic gui to track the IP address and blackmail the people with the private key.
 
As I said in the other recent thread; this is why you should never use online storage as a primary backup. Always use offline storage because otherwise as soon as you get infected, anything else that is connected will go up in flames too. Cloud storage is even worse, internet connection problems, server problems, hackers wipe the data, or company collapses when you need that backup and you're screwed.

It's not like this is a new thing either, the encryption aspect is a fairly recent twist, but the end result is the same as the viruses that have been going round since the 90's that simply overwrite files.
 
Last edited:
The hard bit is that it got all her USB drives etc, to me that would have been an acceptable level of backup and for those to get caught as well is a really tough break.

Not that it is probably any use, but obviously this is blackmail and should be reported to the police and if you did decide the payment was worth making to get the files back then make sure your bank knows what is going on to make sure you don't open yourself up to being got hard through that source.
 
Lighters said:
I know thats what I am so mad about, the virus to remove is very easy but the restore points only go to the start off this month!

All her online backups are also infected so suffer the same problem. Same with her memory sticks :(

I had overlooked the kaspersky thing, will do it now
Click to expand...

What a pain!

I would be interested to hear which cloud backup services were compromised using this, as it can be helpful to others who may have blind faith in these.
 
Beren said:
The hard bit is that it got all her USB drives etc, to me that would have been an acceptable level of backup and for those to get caught as well is a really tough break.

Not that it is probably any use, but obviously this is blackmail and should be reported to the police and if you did decide the payment was worth making to get the files back then make sure your bank knows what is going on to make sure you don't open yourself up to being got hard through that source.
Click to expand...

I think it depends on whether the USB sticks were 'read only'. I have no idea if they still would be a little vulnerable even then, but it would be a sensible step. Problem is the devices lose their usefulness like this.

DVD backup with no rewriteability, is my choice here.
 
I wonder if a way to "fix" this, would be:

  • Create a small text file and deliberately have it infected to create an encrypted version.
  • Use a brute-force password cracker to attack the encrypted file, until you get a match with the unencrypted version.
  • Use said match to decrypt the rest of your files.

Obviously, depending on the length/complexity of the key, this could be prohibitively time consuming...

I really don't get the mindset of these people, they're clearly quite talented programmers - surely they don't get that many "bites" that it wouldn't be more worthwhile for them to put their skills to constructive use, rather than making 90% of the developed world want a few hours alone with them in a room with several sharp implements, car batteries and bottles of acid...
 
You must log in or register to reply here.
Back
Top Bottom