?
Solved

CryptoWall 3.0 hack

Posted on 2015-01-29
9
Medium Priority
?
549 Views
Last Modified: 2015-02-13
Greetings Experts,

One of my clients suffered a Cryptowall virus last night.  It ran on a pc and encrypted all the files on the share drive.  I have a backup, but this happened before the backup ran last night, so the entire company would be out a day’s work.. not the end of the world, but not good.

Does anyone have any experience with this virus and getting the files unencrypted?  Not too excited in paying a random.. not due to the cost but due to the overall picture of if they will even send the key and if the files will be damaged.

I found this site via usa today, can it hurt to run the decrypt?  If the business owner opts to pay the ransom, don’t want to damage anything:
https://decryptcryptolocker.com/

This website explains my exact situation:
http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/

Any help would be great..
Thank you in advance..
Kacey
0
Comment
Question by:Kacey Fern
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 22

Expert Comment

by:CompProbSolv
ID: 40578071
Depending on the version of Windows and what is enabled or disabled, you may be able to right-click on the file and then left-click on "Restore Previous Version".  If that works, there are ways to automate it for many files.
0
 

Author Comment

by:Kacey Fern
ID: 40578086
Thank you for the quick reply, unfortunately shadow copy was disabled.  It was interfering with the backup at one point so we disabled it.
0
 
LVL 22

Expert Comment

by:CompProbSolv
ID: 40578104
I have had that decryption site link recommended to me but I've never used it.  I'd certainly give it a shot with a few files, after backing them up, of course!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578175
Give it a shot, but I personally have never seen anything other than a full wipe and restore from backup work on ransomware type malware like this one.

Be sure you have a full DR backup, as well as a file backup.  The cost last I looked was about 5k (USD).  Not sure if that has gone up or down.

Do have a versioning solution in place?  For instance, you can completely recover file if your client uses CrashPlanPROe or CP for Home.  Same with Spideroak and a plethora of similar apps.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40578440
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
0
 
LVL 30

Accepted Solution

by:
Thomas Zucker-Scharff earned 2000 total points
ID: 40578461
CrashPlan and similar services provide versioning backup so if you do get zapped with ransomware  you can restore your files from an older version. (I have mine set to backup changes every 15 minutes and any changed files create new versions.  We have been successful here at work in recovering whole computers that have been hit with cryptowall type malware because we use CrashPlanPROe.  I use it at home as well.  

DropBox also has versioning, but not only do you have little control over that, it takes them about 3-4 days before they can recover just your DropBox from a ransomware attack (you need to put in a ticket).
0
 

Author Comment

by:Kacey Fern
ID: 40578514
Thanks for the info.  Going to try the tool and see if I get anywhere tonight.  I'll post back with results.

One more question.. if I have my users access the file server with a shortcut link to the desktop instead of a drive letter, will the ransom ware still find the server files?  Just looking for some preventive measures for the future..
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40578527
As far as I know,  only mapped drives. But the real problem is user education.
0
 

Author Closing Comment

by:Kacey Fern
ID: 40608886
Thanks for all your comments on  this.  
I just deleted the encrypted folder and used my backup to restore the files from the previous day.  We lost one day's work.

Tried to un-encrypt, with a few tools, but it didn't work.  As far as I can tell they haven't caught up to v3 of the crypto, they seem to work sometimes on v2.

Hope no one else gets caught with this.
Kacey
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question