Solved

CryptoWall 3.0 hack

Posted on 2015-01-29
9
523 Views
Last Modified: 2015-02-13
Greetings Experts,

One of my clients suffered a Cryptowall virus last night.  It ran on a pc and encrypted all the files on the share drive.  I have a backup, but this happened before the backup ran last night, so the entire company would be out a day’s work.. not the end of the world, but not good.

Does anyone have any experience with this virus and getting the files unencrypted?  Not too excited in paying a random.. not due to the cost but due to the overall picture of if they will even send the key and if the files will be damaged.

I found this site via usa today, can it hurt to run the decrypt?  If the business owner opts to pay the ransom, don’t want to damage anything:
https://decryptcryptolocker.com/

This website explains my exact situation:
http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/

Any help would be great..
Thank you in advance..
Kacey
0
Comment
Question by:kaceyjames
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 40578071
Depending on the version of Windows and what is enabled or disabled, you may be able to right-click on the file and then left-click on "Restore Previous Version".  If that works, there are ways to automate it for many files.
0
 

Author Comment

by:kaceyjames
ID: 40578086
Thank you for the quick reply, unfortunately shadow copy was disabled.  It was interfering with the backup at one point so we disabled it.
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 40578104
I have had that decryption site link recommended to me but I've never used it.  I'd certainly give it a shot with a few files, after backing them up, of course!
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578175
Give it a shot, but I personally have never seen anything other than a full wipe and restore from backup work on ransomware type malware like this one.

Be sure you have a full DR backup, as well as a file backup.  The cost last I looked was about 5k (USD).  Not sure if that has gone up or down.

Do have a versioning solution in place?  For instance, you can completely recover file if your client uses CrashPlanPROe or CP for Home.  Same with Spideroak and a plethora of similar apps.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40578440
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 27

Accepted Solution

by:
Thomas Zucker-Scharff earned 500 total points
ID: 40578461
CrashPlan and similar services provide versioning backup so if you do get zapped with ransomware  you can restore your files from an older version. (I have mine set to backup changes every 15 minutes and any changed files create new versions.  We have been successful here at work in recovering whole computers that have been hit with cryptowall type malware because we use CrashPlanPROe.  I use it at home as well.  

DropBox also has versioning, but not only do you have little control over that, it takes them about 3-4 days before they can recover just your DropBox from a ransomware attack (you need to put in a ticket).
0
 

Author Comment

by:kaceyjames
ID: 40578514
Thanks for the info.  Going to try the tool and see if I get anywhere tonight.  I'll post back with results.

One more question.. if I have my users access the file server with a shortcut link to the desktop instead of a drive letter, will the ransom ware still find the server files?  Just looking for some preventive measures for the future..
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578527
As far as I know,  only mapped drives. But the real problem is user education.
0
 

Author Closing Comment

by:kaceyjames
ID: 40608886
Thanks for all your comments on  this.  
I just deleted the encrypted folder and used my backup to restore the files from the previous day.  We lost one day's work.

Tried to un-encrypt, with a few tools, but it didn't work.  As far as I can tell they haven't caught up to v3 of the crypto, they seem to work sometimes on v2.

Hope no one else gets caught with this.
Kacey
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Adoption of Microsoft’s Enterprise Mobility and Security solution and Office 365 will re-order the File Sync and Share market Microsoft has stated that its Enterprise Mobility + Security (EMS) is the fastest growing product in the history of the …
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question