Solved

Cryptowar virus

Posted on 2014-10-20
67
263 Views
Last Modified: 2015-02-04
Say, PC been infected with CryptoWar virus. There is a ransom note to upload key and get data decrypted - word, excel files etc.
What can be done please?
OS is XP.

tx
0
Comment
Question by:shaunwingin
  • 14
  • 12
  • 8
  • +8
67 Comments
 
LVL 3

Assisted Solution

by:Glingo
Glingo earned 84 total points
ID: 40391721
Hi,

The first thing to do would be to download and run Malwarebytes anti-malware

Then about your files I hope you have a backup because it seems cryptowar uses asymmetric encryption so it will be very hard to decrypt :/
0
 

Author Comment

by:shaunwingin
ID: 40391730
no backup....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40391739
Removing the virus is not always recommended. The virus offers to decrypt. Without it, you cannot decrypt. Learning to create backups the hard way, so to say.

Some keys of this virus type were recently discovered, but they might not work for you: https://www.decryptcryptolocker.com/
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40391808
Unfortunately you dont have a real choice.

1/ If you dont have important data :
- Format / Reinstall and perform daily backup to avoid this.

2/ if you need your data : (well i seriously hope you dont)
- Pay (at your risk since some victims claimed that paying the ransom did not always lead to the files being decrypted) / Recover and Backup your data / Format / Reinstall and perform daily backup to avoid this.
0
 
LVL 87

Expert Comment

by:rindi
ID: 40391846
If no backup, you have lost your data. Whatever you do DON'T PAY!!! If you pay, you just support the crooks, and it will be very likely that you still won't get your data back.

The only thing you can do is to tell the authorities. Although even that won't get your data back, they might be able get some sort of traces of the crooks.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40392011
If your data is as important as your life, pay.

Otherwise, follow rindi's advice, except notifying anyone else.
0
 

Author Comment

by:shaunwingin
ID: 40392015
This was tried but didn't help
Some keys of this virus type were recently discovered, but they might not work for you: https://www.decryptcryptolocker.com/

Has no one a solution to these thieves?
0
 
LVL 24

Expert Comment

by:aadih
ID: 40392020
No, unfortunately. :-(
0
 
LVL 24

Expert Comment

by:aadih
ID: 40392040
You may be interested in this thread and information therein:

< http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_28540544.html >
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40392067
Sorry, but it's md5 encryption, unless you find the key (bruteforce), which is very unlikely. There is no easy solution
0
 
LVL 87

Expert Comment

by:rindi
ID: 40392118
The "solution" for the future, is to have a good backup strategy in place (that is essential anyway, for everything, not just for malware and cryptolocker). Also, after the backup has run remove the backup from the system, or at least make sure there are no drive letters mapped to the backup location.

A further part of the "solution" is not use logon to a PC with Administrator rights for normal day-to-day use, Only use Admin accounts for actual admin tasks. Teach the users how to surf the web as safely as possible, and be careful when opening attachments in emails etc.
0
 

Author Comment

by:shaunwingin
ID: 40405785
Say, Anyone working on cracking this virus? Surely someone must have tried to catch these thieves?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40405794
Cracking cannot be done as this is no trick, but encryption and it's not always the same key, of course. So please focus on the answers given and give feedback on those :)
0
 

Author Comment

by:shaunwingin
ID: 40405810
And the law enforcement agencies?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40405848
You should inform them, that's all you can do. They have no technical superiority and would need to use brute force attacks, too.

So think about something like applocker to prevent it in the future and do regular backups.
0
 

Author Comment

by:shaunwingin
ID: 40405854
Do you honestly think this is an isolated attack? I can't believe that no one out there is trying to prevent blackmail from these guys!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40405867
What do you mean, "isolated"? There are many ways to infect yourself, there have been thousands of people infected, yes.

Countermeasures are the usual ones:
-don't execute unknown executables
-keep your software updated (don't run outdated OS' like xp for example)
-have backups at hand
Some apply policies that only trusted code may run (applocker/software retsriction policies).

So there is no need to feel helpless.
0
 
LVL 87

Expert Comment

by:rindi
ID: 40405884
It just shows once more how essential good backups are. If the backups are neglected it's more or less the user's fault if he looses data, whether he looses it through malware like Cryptolocker, or other mishaps, like failing disks, or the user accidentally overwriting data he still needs, and in the end it is a lesson learned the hard way.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40412920
Hello shaunwingin, there is only one solution for this, and this is "find the key".
You can contact law, loose your time, whatever .. they will probably never catch them in this real world.
So focus on finding the key, pay or not pay, better format and start from scratch and also whip yourself 10 times for not having backup your data :) and spit you will never do it again !
Pay the thieves / crack the password (difficult) or accept to loose your data what will you choose now ?
I wish you luck.
0
 
LVL 69

Expert Comment

by:Merete
ID: 40412996
Cryptowar or Cryptowall !!
If you want to give it try, these guys have a removal tool to use in safemode with networking only!!
You my need a second computer there to be able to download these tools, you also may need a USB stick

please NOTE:
EXTRACT:
Below, we have procedures in removing CryptoWall from the computer.
Since public and private key combination is needed to decrypt files, it is impossible to recover affected files at this point.
We hope to find a workaround with this trouble in the following days. For the meantime, we will maximize whatever we have on hand.

If your PC is running on Windows Vista and Windows 7, there is a feature called ‘Previous Versions’.
Although this function only works if restore point was saved prior to CryptoWall infection or if System Protection is enabled on the computer. Use Previous Versions to recover files without having to pay for the private key.
Cryptowall is a dangerous piece of software out to extract money from unsuspecting users. Please follow the directions on this site to stop cryptowall.
How to remove CryptoWall Virus
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40413007
There's no solution for this! you won't be able to acquire the key even if you have paid the money ...

My suggestion is to use Linux OS from now on and along with it save all your documents and keep it synced with Dropbox/Skydrive/Google drive in order to always have a backup on cloud.
0
 
LVL 61

Expert Comment

by:btan
ID: 40413026
the most effective method to recover your files is by using a backup. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files. If no backup -- local or cloud-based -- are available, then the only chance at file recovery will lay in the VSS, restore previous file versions, or system restore. But they can have already disable that backup hence back to original state unable to retrieve back on the latest data. Otherwise to get back is really pay up the ransom.  

Having said that, deciding not to pay is a fair argument, especially if the amount being requested is worth more than value of the data. But we do not need to delve into whether the crypto can or cannot be broken - there is no point second guessing as all tools are just to detect but eventually will not be able to break it unless the private key is lying somewhere.

Paying the ransom is an exercise in and of itself. For example, they may be asking for Bitcoin or equivalent to a digital currency that's used to purchase goods and services, similar to US currency. Though difficult, it's still possible to open an account at an exchange to begin funding the purchase of Bitcoins in order to pay the ransom in the time allotted.

Of course there is the danger the attacker may not play ball too but really victim is already at the losing end. Clean up the machine, rebuild it and move on...

many variant take ref to CryptoWall - below is just further learning from it and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
0
 
LVL 69

Expert Comment

by:Merete
ID: 40413030
ah!! you all beat me.. :)
Sometimes we have to let the client have a go, it is a way of letting go and coming to terms with it.
 First stage is shock realization,  then there is anger then there try and fix
so a week later and exhausted then they feel lament why why why!!! stupid stupid.
And finally they resign to the fact it's all lost.
My condolences sincerely. But you will live and move on from it and hopefully learnt from it.
I agree
Linux is looking better week by I am now learning how to use it.
Interestingly Microsoft has an article
What is ransomware?
http://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
I received several emails torting I had missed my day in court, it looked like a professional Police report and I had been done speeding with one of those speedcams. I decided to delete it, If it was real they could come and arrest me as I had no idea if it was true or not.
They never came and I never heard from any police
Rule of thumb wait for the paper in the mail no matter what if it's in an email it's not real. Police have to put it on paper ( for reports )
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40413051
If the deadline was reached and the files have been encrypted, the only hope is VSS and earlier versions being recoverable.  As a note, this is a new flavor named Cryptowall II and has numerous "improvements" over prior versions: http://www.bleepingcomputer.com/forums/t/552103/updated-cryptowall-20-ransomware-released-that-makes-it-harder-to-recover-files/
I, in fact, am picking a PC up with the infection, this morning.
0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 83 total points
ID: 40413062
Really, wow.. please do let us know how you go. What good timing.
Good luck DavisMcarn.
I was just reading that Microsoft Article
The following government-initiated fraud and scam reporting websites may also help:
•In Australia, go to the SCAMwatch website
•In Canada, go to the Canadian Anti-Fraud Centre
•In France, go to the Agence nationale de la sécurité des systèmes d'information website
•In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
•In Ireland, go to the An Garda Síochána website
•In New Zealand, go to the Consumer Affairs Scams website
•In the United Kingdom, go to the Action Fraud website
•In the United States, go to the On Guard Online website
If your country or region isn't listed here, we encourage you to contact your country's federal police or communications authority.
0
 
LVL 39

Expert Comment

by:noci
ID: 40413999
shaunwingin,

without the key you cannot decrypt. Without backup you definitely need the keys. Not a fine nice message but the truth hurts sometimes. There absolutely no assurance that you get (the right / a) key  if you pay the ransom.
My advise, in such a case store the hardisk AS IS,or a forensic copy of it, somewhere safe. If a key surfaces some time you may be able to recover data.
Rebuild your system with a new disk & clean install kit. Use a safe updated & maintained OS and all normal precautions from then on  (backup,virus scanners..) , use admin only account for updates & unprivileged account for work.  Maybe even a VM for handling external contacts.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40414317
OK, my victim was lucky enough to follow my advice and shut the PC down!  While he was being overpowered by the screen asking for payment, two things saved his behind.  First, I have three PC's setup for data recovery (meaning every SATA or IDE cable hanging out for multiple drives) and copying his stuff to one of my drives revealed that the encryption had not yet been done!  Second, while Cryptowall did delete all of his restore points, it also broke the mechanism in 7 that creates registry backups in the Regback folder.  Copying back his registry files from 10/27 clobbered Cryptowall's ownership and he will be fine after I fix is Outlook which was not a related problem.
Yeah!
0
 
LVL 61

Expert Comment

by:btan
ID: 40414785
And dont even attempt trying to trick the date by "back-dating", the root cause is still the same even if you port the data to other machine or tweak the timestamp...it may even backfire and corrupt data. If the data is so important, that probably leave you with that choice - if not, use clean machine to move on...maybe good to know how it came in and if any USB still lying ard carrying that. Actually I may even want to change the login acct for online email etc ..
0
 
LVL 69

Expert Comment

by:Merete
ID: 40414797
DavisMcCarn, that's great to hear, thanks for posting your progress.
0
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 166 total points
ID: 40415429
Update:
Its actually a new flavor named Cryptowall II and its using infected ads on websites like Yahoo and AOL; but, has primarily impacted the UK where it has infected over 600,000 PCs: http://www.bleepingcomputer.com/forums/t/552103/updated-cryptowall-20-ransomware-released-that-makes-it-harder-to-recover-files/
How my client got it, here in Charlotte, NC may forever remain a mystery.
Regardless, what I did was to remove his hard drive, back up his files, verify they were not encrypted (!!!), copy back his earlier registry files from the Regback folder, put the HD back in his laptop, ran Roguekiller which did find one last piece & removed it, then updated MSE and ran a complete scan which came back clean.

If anyone should read this, it is imperative that you check for encryption; because, if the files have already been encrypted, there is no option but to pay the money to get the decryption key and you should not even attempt to "clean" the PC until after the decryption has completed.  Doing so will destroy the ability to recover the files.
0
 

Author Comment

by:shaunwingin
ID: 40422247
With this no infected surely someone should do something to resolve???
0
 
LVL 24

Expert Comment

by:aadih
ID: 40422267
[Like Ebola :-(] with time it'd be resolved.  :-)  But then another one will pop up with time. :-(
0
 
LVL 87

Expert Comment

by:rindi
ID: 40422500
Besides, if the most basic precautions had been taken, like making backups, any infection would only have cost some time for restoring, and if the PC was used properly, it is also very unlikely that you can get infected. So it is usually their own fault if people have problems with that malware.

What should be done though is to get in touch with the authorities, so they can try to catch the criminals, maybe they were careless and left traces. But also here it will get very difficult, as they are most likely not in your country, and then it is very hard get hold of them.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40422638
"if the PC was used properly, it is also very unlikely that you can get infected"  I'm sorry; but, these days that just ain't true.  Cryptowall II, for example, has primarily been delivered through "malvertisements", meaning infecting ads displayed at AOL, Yahoo, Match.com, and other major websites.  When all one has to do is be the unlucky person that sees the ad without clicking on anything, you can't blame the user or their antivirus for the infection.
 http://www.theregister.co.uk/2014/10/23/cryptowall_malvertising_outbreak/

Unfortunately, too, Cryptowall II uses the TOR network for payments and nobody has been able to trace the recipient of ransoms paid.

Again, the right answer is to immediately shutdown the PC, yank the drive, backup their files with it connected as a 2nd drive (or USB), and then do battle with the malware.  I learned, last year, that a wounded Cryptowall instantly starts the encryption process.....

P.S.  All of my business clients have automatic backups running each day; but, if Cryptowall does its thing and a backup happens afterwards, you've got two sets of encrypted files!
0
 
LVL 87

Expert Comment

by:rindi
ID: 40422676
If backups are done properly, you only loose very little data if the malware hits you, and that data is still fresh, so it should be possible to reconstruct it easily. So as I mentioned above, all you loose is the time for a restore or to re-type the data. Besides that, you can use addons like adblock plus in firefox to suppress ads.
0
 
LVL 39

Expert Comment

by:noci
ID: 40422876
other nice browser extensions are: ghostery & noscript, which will block more effectively.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 167 total points
ID: 40423059
backup is your last and only means to get back data - assuming you are not (yet) putting the ransom as it instructed. It is a ransomware we are facing that if implemented correctly should not be flawed to recover the crypto key, furthermore, we are talking about private/public key usage - not practical to brute force in layman...Quite a family of CryptoLockerhas spawned off and payment has even extended to digital currency like Bitcoin instead of wire transfer to keep LE at bay to trace back..also what is common is if the XX hour deadline has passed, the cost increases...of course as shared in discussion , also check the files and data are indeed encrypted first before jumping to conclusion but minimally chance though

Good posting on CryptoLocker and mitigation
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/

there is the LE coming in to disrupt the Gameover ZeuS botnet which had been used to distribute CryptoLocker and other malware, but this is interim relief as new scheme and variant (including Copy-cat crimeware) relive and emerges. In short, due to the nature of CryptoLocker's operation, most (really) reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, offline backups made before the infection that are inaccessible from the network, and thus cannot be infected by CryptoLocker).

You can catch diff btw Cryptolocker and Cryptowar
http://www.csoonline.com/article/2601406/data-protection/why-cryptowall-ransomware-will-remain-a-shadow-of-cryptolocker.html

CryptoWall encrypts files more important to consumers, such as audio and video files. CrytoLocker was more focused on document files.

CryptoWall used 2048-bit RSA keys, which is not meant for encrypting large files. CryptoLocker would encrypt using an Advanced Encryption Standard (AES) algorithm, which is much faster and made for bulk data.
0
 

Author Comment

by:shaunwingin
ID: 40424011
aadih Is this to small for a government to do something about?
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40424027
Far too small.
You are still with this subject open ?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40424041
If they want they would becoz basically TOR network is funded by the FBI! but i don't think they'd bother becoz it seems there's not much people who get infected with it...

I think if you don't want to pay you'll have to forget about your data and start from now on considering an encrypted backup solution ... also you might wanna consider using Linux or FreeBSD desktop since they don't get exposed like Windows would.
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40424055
0
 

Author Comment

by:shaunwingin
ID: 40430489
Any in UK as seems a lot were affected there? With time a solution may be published - any sites to keep track of to be notified?
0
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 166 total points
ID: 40430497
Almost 800,000 PC's were afflicted in the U.K.; but, if your files were already encrypted, you have two options; pray that VSS has backups or pay the ransom.
Its part of this article (see the Guide at the bottom) that I posted earlier: http://www.bleepingcomputer.com/forums/t/552103/updated-cryptowall-20-ransomware-released-that-makes-it-harder-to-recover-files/
0
 
LVL 61

Expert Comment

by:btan
ID: 40430717
a very recent variant also occurs which is part of the ransomware family, it lock the screen and commonly known as ransomlock. The other that encrypt file is the cryptolocker which we been posting so far. UK does suffers from both. E.g UK will see such scam ransomlock that is known as Police Central e-crime Unit ransomware virus (EPCU virus). Another good to catch up is from subscribe to CERT notification @ https://www.us-cert.gov/ncas/alerts/TA14-295A
0
 

Author Comment

by:shaunwingin
ID: 40431118
Tx. What is a big number if 800 000 is not????
0
 

Author Comment

by:shaunwingin
ID: 40431119
Any update on this?
 In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.
0
 
LVL 61

Expert Comment

by:btan
ID: 40431150
if we take a look at DellSecureworks sharing, it stated nearly 625,000 systems were infected with CryptoWall (mid-March and August 24, 2014)  http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/

and reference to Dell Secureworks past Operation Tovar, it stated 200,000 computers have been infected with CryptoLocker
http://www.secureworks.com/resources/blog/operation-tovar-dell-secureworks-contributes-to-efforts-targeting-gameover-zeus-and-cryptolocker/index.html
0
 
LVL 87

Expert Comment

by:rindi
ID: 40431301
Weakening the infra structure doesn't mean much in the long run. It is at best a temporary measure, as the crooks will find alternatives. If anything, the weakened infrastructure may just make it harder for them to collect the cash, and so it may make it even harder to get the correct keys after a ransom payment. So for the infected it might even be "worse".
0
 
LVL 61

Expert Comment

by:btan
ID: 40431811
in fact, US CERT post stated this
Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC (link sends e-mail) .
0
 

Author Comment

by:shaunwingin
ID: 40432084
Tx - anything from the UK authorities as South Africa is closer to them... perhaps worth reporting....
0
 
LVL 61

Expert Comment

by:btan
ID: 40432135
Kindly see UK CERT suggesting 15K machines affected https://www.cert.gov.uk/resources/news/2014/06/nca-announcement-on-gameover-zeus-and-cryptolocker/
the action fraud ctr started off cryptolocker in Dec 2013 as stated in http://www.actionfraud.police.uk/cryptoLocker-alert-update-dec13
0
 

Author Comment

by:shaunwingin
ID: 40432144
tx - but unfortuantely...
Outside the UK

Action Fraud is not able to take reports of fraud which happened outside the UK to people who were outside the UK at the time of the fraud. If you live outside the UK and the fraud was not carried out from the UK, please contact your local police force. If you are a UK resident who was defrauded whilst abroad, and the fraud was not carried out from the UK, please contact the local police force of the country you were staying in.
0
 
LVL 61

Expert Comment

by:btan
ID: 40432154
The affected machine stated by the CERT UK is mentioned to be within UK, so if you are looking at more an d beyond, I doubt there is public news to that :)
0
 

Author Comment

by:shaunwingin
ID: 40462048
Any progress on the decryption out there?
0
 
LVL 61

Expert Comment

by:btan
ID: 40462110
nope as per what is already shared. if you are pinning for decryption of those keys pls think twice, it is not practical to decrypt them as already stated. I doubt effort will be in decryption is key as compared to backup recovery or restored old copy. If the recovery is not avail (as wiped out or not done), then it is tough to get back data.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40462112
The 2014 flavor of Cryptowall receives a 2048 bit encryption key from the malware authors server and uses it as the encryption key.  In decimal, that number has 617 digits and estimates are that it would take up to a thousand years to find that key.
Unless you have backups, Volume Shadow Copy versions of the files, or are lucky enough to be able to recover the erased versions with something like GetDataBack, the files are gone for good.  Sorry.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40462153
Yep as everyone said, there's no way you could get these files back unless you get the key from the developer .. If NSA would do you a favor they might be able to decrypt those files in 24 hours since they have the needed technology.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40463495
"  It is therefore estimated, that standard desktop computing power would take 4,294,967,296 x 1.5 million years to break a DigiCert 2048-bit SSL certificate. Or, in other words, a little over 6.4 quadrillion years. "
https://www.digicert.com/TimeTravel/math.htm

C'mon guys, my estimate of 1,000 years was based on a supercomputer so the NSA ain't no help at all.
0
 
LVL 61

Expert Comment

by:btan
ID: 40463555
once again, besides the work factor to crack the crypto which is never realistic (yap), the update to the ransomeware stays the same pitch - http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information#decrypt
there is CryptoUnlocker but highly doubtful it is working as claimed  ..
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40463948
Thanks for the article Davis... Never expected that it would be that hard to break the ssl certificate. When I read about the NSA scandal there were lot of articles talking about how NSA requested from Public Certificates providers to weaken the strength of the keys for certificates in order to crack them. So that explains it.
0
 

Author Comment

by:shaunwingin
ID: 40487377
Any further updates perhaps - its a matter of time surely?
0
 
LVL 87

Expert Comment

by:rindi
ID: 40487404
Years, decades maybe. But very unlikely any faster.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40487787
I guess you don't really understand.....
Cryptowall sent a message to the bad guys servers and got back a 2048 bit encryption number which was unique to your PC and was then used to encrypt all of the files you have found to be trashed (and maybe a bunch more).  Once they were encrypted, nothing but the retrieval of that number or a supercomputer (10 million dollars+) and a thousand years has any chance of cracking that encryption!
You are already WAY past the deadline to cough up $1,000 (the secondary ransom), so you are totally screwed.
Sorry.
0
 
LVL 61

Accepted Solution

by:
btan earned 167 total points
ID: 40488007
there is really no means to break proven and true encryption scheme. Data worthiness and values also diminish with time and if we know this and if encryption can really be broken within the short period (assuming not the scientific or math brute force discussed), then it actually the adversary follies using a weak or backdoor non recognised crypto scheme.

Nowadays, besides the simple XOR which you hardly find in ransomware such as this Cryptowall and Crytolocker families implementing new crypto. There is not many adversary whom invest in such attempt to derive their crypto libraries...understand that it is the private key we are missing and wanting to have ... or just wait for the next implementation flop (having private key in the victim machine...)

recently reported a parasite based ransomware, VirRandom which embed the decryption within itself and hence allowing security researcher to decrypt w/o paying the ransom
0
 
LVL 3

Expert Comment

by:Glingo
ID: 40588900
Hi,

Just an update, I found a service that seems to help to decrypt the files (free and without registration):

https://www.fox-it.com/en/press-releases/fireeye-fox-announce-new-service-help-cryptolocker-victims/

Also to help you to remove infested files:

http://www.wintips.org/how-to-remove-cryptolocker-ransomware-and-restore-your-files/

(I know I shouldn't be posting link like this but I already ansered in this thread and I think these links can help.
0
 
LVL 61

Expert Comment

by:btan
ID: 40590103
one caveat is the services is specific to certain variant and the private key they have is not comprehensive - meaning not 100%  - and they gotten those from their other sources. there is no really decryption possible w/o the private key, consider retrieval of last god backup ..
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now