Cryptowall virus/malware

You can try to decrypt the file using brute force but these days that isnt going to happen quickly or easily - I doubt the person clever enough to write this is going to chuck in a weak encrytption algorhythm so chances are this isnt possible.

So bascially its one of two choices

1. Pay up - how much do they want??
2. Give them the 2 finger salute and write off the files and start again
 
You can try to decrypt the file using brute force but these days that isnt going to happen quickly or easily - I doubt the person clever enough to write this is going to chuck in a weak encrytption algorhythm so chances are this isnt possible.

So bascially its one of two choices

1. Pay up - how much do they want??
2. Give them the 2 finger salute and write off the files and start again

It's always possible ;)

It may take several decades using today's technology however :p
 
Both Gdrive and Dropbox have file version control so nothing major should be lost, everything else is just a write off.
 
How does it get access to infect cloud backups? Do people just sit there with cloud services permanently logged in and running 24/7?

Cloud backup solutions with versioning should be safe, the latest versions of the files would obviously be lost, but previous versions should be fine.

Edit: beaten by a minute :(
 
What are people's suggestions for protecting their data?

I was thinking about having everything under a different login account and removing everything but read access for the main (Internet) account. There are very few files that I need write access to.

So if there was a new infection vector in the future, it's not going to be able to rewrite encrypted versions of any of my files.


As for stopping the virus in the first place, there is a program which purports to detect cryptowall.
 
The virus is easy enough to remove but you won't be able to decrypt the files, no chance. If you don't have backups and you refuse to pay the ransom the files are gone forever.

If you remove the virus then you also will not be able to pay the ransom. If you pay the ransom there is no guarantee they will decrypt the files as well.

Sophos have a removal tools

http://www.sophos.com/en-us/product...tm_medium=Cross-link&utm_campaign=CL-CorpBlog

You can also use combofix to remove it.

One client we have lost 200k documents to the virus (not my site) and no backups due to rubbish IT.

The one site i support got infected through someones gmail account and bypass the nod32 and mimecast. encrypted all the mapped drives. Had to restore all from backup.

more info http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

The best protection is to set up software restrictions on the app data folders.
 
I really don't get the mindset of these people, they're clearly quite talented programmers - surely they don't get that many "bites" that it wouldn't be more worthwhile for them to put their skills to constructive use, rather than making 90% of the developed world want a few hours alone with them in a room with several sharp implements, car batteries and bottles of acid...

The programmers, the "brains" behind these viruses are not the ones spreading them and taking the money from the victims. They just create the virus along with a "tutorial for dummies" and they sell the package to criminals (which often have only basic IT skills, if any). Most of the programmers probably have normal jobs and no criminal record whatsoever.
 
I think it depends on whether the USB sticks were 'read only'. I have no idea if they still would be a little vulnerable even then, but it would be a sensible step. Problem is the devices lose their usefulness like this.

DVD backup with no rewriteability, is my choice here.

Dvd's are perhaps the least reliable backup medium in terms of failure rate. They are also a pain in the ****.

All you have to do is not put in your USB backup when your system has been infected and you can't access any of your desktop files... or use a write protector.
 
Last edited:
What are people's suggestions for protecting their data?

I recommend a layered defence. I have a real-time AV and periodically run Malware Bytes as a backup. I have nightly backups to my WSE box. I have occasional backups to external USB drives which are kept disconnected unless in use.

ETA: oh yes, I've read that Cryptolocker operates on all mapped drives but not by UNC, so the area with my backups on the WSE box isn't mapped by letter.
 
It's quite possible her PC was already infected with a root kit and that delivered it. It's certainly how some instances of CryptoLocker "arrive"
 
Our backup system is incremental and not accessible from terminal machines or mapable, its also running on a non Windows environment. Still worries me though even though I know its safe.
 
Back
Top Bottom