Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

CryptoWall 3.0 hack

Posted on 2015-01-29
9
527 Views
Last Modified: 2015-02-13
Greetings Experts,

One of my clients suffered a Cryptowall virus last night.  It ran on a pc and encrypted all the files on the share drive.  I have a backup, but this happened before the backup ran last night, so the entire company would be out a day’s work.. not the end of the world, but not good.

Does anyone have any experience with this virus and getting the files unencrypted?  Not too excited in paying a random.. not due to the cost but due to the overall picture of if they will even send the key and if the files will be damaged.

I found this site via usa today, can it hurt to run the decrypt?  If the business owner opts to pay the ransom, don’t want to damage anything:
https://decryptcryptolocker.com/

This website explains my exact situation:
http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/

Any help would be great..
Thank you in advance..
Kacey
0
Comment
Question by:kaceyjames
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 40578071
Depending on the version of Windows and what is enabled or disabled, you may be able to right-click on the file and then left-click on "Restore Previous Version".  If that works, there are ways to automate it for many files.
0
 

Author Comment

by:kaceyjames
ID: 40578086
Thank you for the quick reply, unfortunately shadow copy was disabled.  It was interfering with the backup at one point so we disabled it.
0
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 40578104
I have had that decryption site link recommended to me but I've never used it.  I'd certainly give it a shot with a few files, after backing them up, of course!
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578175
Give it a shot, but I personally have never seen anything other than a full wipe and restore from backup work on ransomware type malware like this one.

Be sure you have a full DR backup, as well as a file backup.  The cost last I looked was about 5k (USD).  Not sure if that has gone up or down.

Do have a versioning solution in place?  For instance, you can completely recover file if your client uses CrashPlanPROe or CP for Home.  Same with Spideroak and a plethora of similar apps.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40578440
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 27

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 40578461
CrashPlan and similar services provide versioning backup so if you do get zapped with ransomware  you can restore your files from an older version. (I have mine set to backup changes every 15 minutes and any changed files create new versions.  We have been successful here at work in recovering whole computers that have been hit with cryptowall type malware because we use CrashPlanPROe.  I use it at home as well.  

DropBox also has versioning, but not only do you have little control over that, it takes them about 3-4 days before they can recover just your DropBox from a ransomware attack (you need to put in a ticket).
0
 

Author Comment

by:kaceyjames
ID: 40578514
Thanks for the info.  Going to try the tool and see if I get anywhere tonight.  I'll post back with results.

One more question.. if I have my users access the file server with a shortcut link to the desktop instead of a drive letter, will the ransom ware still find the server files?  Just looking for some preventive measures for the future..
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578527
As far as I know,  only mapped drives. But the real problem is user education.
0
 

Author Closing Comment

by:kaceyjames
ID: 40608886
Thanks for all your comments on  this.  
I just deleted the encrypted folder and used my backup to restore the files from the previous day.  We lost one day's work.

Tried to un-encrypt, with a few tools, but it didn't work.  As far as I can tell they haven't caught up to v3 of the crypto, they seem to work sometimes on v2.

Hope no one else gets caught with this.
Kacey
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question