Solved

CryptoWall 3.0 hack

Posted on 2015-01-29
9
520 Views
Last Modified: 2015-02-13
Greetings Experts,

One of my clients suffered a Cryptowall virus last night.  It ran on a pc and encrypted all the files on the share drive.  I have a backup, but this happened before the backup ran last night, so the entire company would be out a day’s work.. not the end of the world, but not good.

Does anyone have any experience with this virus and getting the files unencrypted?  Not too excited in paying a random.. not due to the cost but due to the overall picture of if they will even send the key and if the files will be damaged.

I found this site via usa today, can it hurt to run the decrypt?  If the business owner opts to pay the ransom, don’t want to damage anything:
https://decryptcryptolocker.com/

This website explains my exact situation:
http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/

Any help would be great..
Thank you in advance..
Kacey
0
Comment
Question by:kaceyjames
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 20

Expert Comment

by:CompProbSolv
Comment Utility
Depending on the version of Windows and what is enabled or disabled, you may be able to right-click on the file and then left-click on "Restore Previous Version".  If that works, there are ways to automate it for many files.
0
 

Author Comment

by:kaceyjames
Comment Utility
Thank you for the quick reply, unfortunately shadow copy was disabled.  It was interfering with the backup at one point so we disabled it.
0
 
LVL 20

Expert Comment

by:CompProbSolv
Comment Utility
I have had that decryption site link recommended to me but I've never used it.  I'd certainly give it a shot with a few files, after backing them up, of course!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
Give it a shot, but I personally have never seen anything other than a full wipe and restore from backup work on ransomware type malware like this one.

Be sure you have a full DR backup, as well as a file backup.  The cost last I looked was about 5k (USD).  Not sure if that has gone up or down.

Do have a versioning solution in place?  For instance, you can completely recover file if your client uses CrashPlanPROe or CP for Home.  Same with Spideroak and a plethora of similar apps.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 25

Expert Comment

by:madunix
Comment Utility
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
Comment Utility
CrashPlan and similar services provide versioning backup so if you do get zapped with ransomware  you can restore your files from an older version. (I have mine set to backup changes every 15 minutes and any changed files create new versions.  We have been successful here at work in recovering whole computers that have been hit with cryptowall type malware because we use CrashPlanPROe.  I use it at home as well.  

DropBox also has versioning, but not only do you have little control over that, it takes them about 3-4 days before they can recover just your DropBox from a ransomware attack (you need to put in a ticket).
0
 

Author Comment

by:kaceyjames
Comment Utility
Thanks for the info.  Going to try the tool and see if I get anywhere tonight.  I'll post back with results.

One more question.. if I have my users access the file server with a shortcut link to the desktop instead of a drive letter, will the ransom ware still find the server files?  Just looking for some preventive measures for the future..
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
As far as I know,  only mapped drives. But the real problem is user education.
0
 

Author Closing Comment

by:kaceyjames
Comment Utility
Thanks for all your comments on  this.  
I just deleted the encrypted folder and used my backup to restore the files from the previous day.  We lost one day's work.

Tried to un-encrypt, with a few tools, but it didn't work.  As far as I can tell they haven't caught up to v3 of the crypto, they seem to work sometimes on v2.

Hope no one else gets caught with this.
Kacey
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now