CrytoWall Virus

Soldato
Joined
28 Sep 2008
Posts
14,123
Location
Britain
Got a friends laptop here with web pages and notepad files opening all over the place saying that the files have been encrypted using a 2048 RSA public/private key and that in order to decrypt the file, visit this site on a secret server, pay this money and get the private key.

Obvs, that's not going to happen, but right enough, none of the files open. It appears like the headers have been altered. Even slaving the drive in another PC does not allow access.

Running malware bytes now, but that will only remove the virus, it's unlikely to decrypt the files if the messages are to be believed.

What's the process? Anyone had similar experiences?

Ta
 
Soldato
Joined
27 Feb 2003
Posts
7,171
Location
Shropshire
With some of the original versions of CryptoLocker you could get files back from Shadow Copy (Vista / W7 etc) and Shadow Explorer makes for a good GUI.

The newer versions I've seen purge out the shadow copies, so as tribz says, time to restore from a backup or cough up.
 
Soldato
OP
Joined
28 Sep 2008
Posts
14,123
Location
Britain
Yeah, I'd seen a post about Shadow Explorer. Just downloaded and exported some trial files from a previous shadow copy and they are intact. I'm going to choose a date just prior to the issue and export the whole lot then blat the drive and reimage.

Ta all
 
Associate
Joined
26 Nov 2011
Posts
1,121
Location
West London
Cryptolocker has been ruining people's days for some time now. Even if you pay the ransom there's a good chance that you won't get your files back. One day, people will learn the benefit of a good backup. One day...
 
Man of Honour
Joined
29 Jun 2003
Posts
34,513
Location
Wiltshire
Cryptolocker has been ruining people's days for some time now. Even if you pay the ransom there's a good chance that you won't get your files back. One day, people will learn the benefit of a good backup. One day...

I'm sure I read this applied to other local drives (USB external backup for example), network drives (NAS) and Dropbox as it sits logged in. So not quite as simple as that.
 
Associate
Joined
26 Nov 2011
Posts
1,121
Location
West London
Yup, cryptolocker will go after anything that the logged on user can see. When I say proper backups I include offsite.

Things like dropbox should enable to to revert to a snapshot from several days ago (similar to the shadow copy idea) But a USB drive that lives in a drawer (or a different building) when the backup isn't running is immune to most issues.
 

beh

beh

Associate
Joined
16 Oct 2003
Posts
2,197
Slightly baffled how I picked this up, first virus in ~15 years perhaps.

Glad I'm on a rather slow laptop and it's full of junk cause it didn't encrypt much before I figured something was up and rebooted into safe mode. Appears it only got part way though my desktop and also did a bit in appdata.

Charmed by the fact the ransom site offers to decrypt one file for free, might go for a chocolate brownie recipe I had.
 
Caporegime
Joined
12 Mar 2004
Posts
29,913
Location
England
I'm sure I read this applied to other local drives (USB external backup for example), network drives (NAS) and Dropbox as it sits logged in. So not quite as simple as that.

It is as simple as that.

You back up to an external drive and disconnect it, that's how a proper backup has always been carried out. Always connected backups should never be used as a "main" backup for this very reason.
 
Man of Honour
Joined
13 Oct 2006
Posts
90,824
Slightly baffled how I picked this up, first virus in ~15 years perhaps.

Glad I'm on a rather slow laptop and it's full of junk cause it didn't encrypt much before I figured something was up and rebooted into safe mode. Appears it only got part way though my desktop and also did a bit in appdata.

Charmed by the fact the ransom site offers to decrypt one file for free, might go for a chocolate brownie recipe I had.

Newer versions are quite sophisticated at infecting others PCs on a network if your sharing a LAN with other users, one variant was seen to stay semi dormant while it tried to infect other systems before it delivered its payload on the original infected machine.

Hence I now have a read only share on the NAS for critical files and rotate 2 external USB drives for offline backup, which are only mounted in read only if needed for recovery.
 

beh

beh

Associate
Joined
16 Oct 2003
Posts
2,197
On a shared LAN which did occur to me as haven't downloaded anything suspicious.

Laptop was in sleep mode while I was out for few hours, came back and it started pestering me with UAC messages for an unsigned flash update triggered by a looping batch file with a modified date a couple minutes before the first files were encrypted.
@echo off
:d
del "C:\Users\Andrew\AppData\Local\Temp\UpdateFlashPlayer_d2954ca0.exe"
if exist "C:\Users\Andrew\AppData\Local\Temp\UpdateFlashPlayer_d2954ca0.exe" goto d
del /F "C:\Users\Andrew\AppData\Local\Temp\tmp640ca134.bat"
Although on closer inspection I think it's probably my fault for disabling java updates some time ago.

xNbYlbX.jpg

So a few things learnt ...
  • UAC didn't save me but did alert me that something was going on
  • Shadow copies works great, particularly as I thought I'd disabled it years ago
  • Don't disable jushed.exe (or anything else similar) or at least check for updates more often if you do.
 
Back
Top Bottom