Solved

CryptoWall 3.0 hack

Posted on 2015-01-29
9
522 Views
Last Modified: 2015-02-13
Greetings Experts,

One of my clients suffered a Cryptowall virus last night.  It ran on a pc and encrypted all the files on the share drive.  I have a backup, but this happened before the backup ran last night, so the entire company would be out a day’s work.. not the end of the world, but not good.

Does anyone have any experience with this virus and getting the files unencrypted?  Not too excited in paying a random.. not due to the cost but due to the overall picture of if they will even send the key and if the files will be damaged.

I found this site via usa today, can it hurt to run the decrypt?  If the business owner opts to pay the ransom, don’t want to damage anything:
https://decryptcryptolocker.com/

This website explains my exact situation:
http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/

Any help would be great..
Thank you in advance..
Kacey
0
Comment
Question by:kaceyjames
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 40578071
Depending on the version of Windows and what is enabled or disabled, you may be able to right-click on the file and then left-click on "Restore Previous Version".  If that works, there are ways to automate it for many files.
0
 

Author Comment

by:kaceyjames
ID: 40578086
Thank you for the quick reply, unfortunately shadow copy was disabled.  It was interfering with the backup at one point so we disabled it.
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 40578104
I have had that decryption site link recommended to me but I've never used it.  I'd certainly give it a shot with a few files, after backing them up, of course!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578175
Give it a shot, but I personally have never seen anything other than a full wipe and restore from backup work on ransomware type malware like this one.

Be sure you have a full DR backup, as well as a file backup.  The cost last I looked was about 5k (USD).  Not sure if that has gone up or down.

Do have a versioning solution in place?  For instance, you can completely recover file if your client uses CrashPlanPROe or CP for Home.  Same with Spideroak and a plethora of similar apps.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 25

Expert Comment

by:madunix
ID: 40578440
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 40578461
CrashPlan and similar services provide versioning backup so if you do get zapped with ransomware  you can restore your files from an older version. (I have mine set to backup changes every 15 minutes and any changed files create new versions.  We have been successful here at work in recovering whole computers that have been hit with cryptowall type malware because we use CrashPlanPROe.  I use it at home as well.  

DropBox also has versioning, but not only do you have little control over that, it takes them about 3-4 days before they can recover just your DropBox from a ransomware attack (you need to put in a ticket).
0
 

Author Comment

by:kaceyjames
ID: 40578514
Thanks for the info.  Going to try the tool and see if I get anywhere tonight.  I'll post back with results.

One more question.. if I have my users access the file server with a shortcut link to the desktop instead of a drive letter, will the ransom ware still find the server files?  Just looking for some preventive measures for the future..
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578527
As far as I know,  only mapped drives. But the real problem is user education.
0
 

Author Closing Comment

by:kaceyjames
ID: 40608886
Thanks for all your comments on  this.  
I just deleted the encrypted folder and used my backup to restore the files from the previous day.  We lost one day's work.

Tried to un-encrypt, with a few tools, but it didn't work.  As far as I can tell they haven't caught up to v3 of the crypto, they seem to work sometimes on v2.

Hope no one else gets caught with this.
Kacey
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now