Cryptowall 3.0 Decryption?

I am looking for any insight into any successful methods of dealing wit files that were encrypted by the Cryptowall 3.0 malware. Has anyone had any success with this process?
LVL 3
tc6atimAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
None exists at this stage.

Have a look at the Bleeping Computer article http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information for a description of Cryptowall and various strategies.
rindiCommented:
The only "Successful" method is to remove the infection, delete the files and restore them from your backups.
Thomas Zucker-ScharffSolution GuideCommented:
I just finished an article on ransomware infections (not published yet) and the only thing that was of any use was prevention.  If you have either shadow copies or backups you may have a better chance (some iterations of the ransomware will encrypt the shadow copies as well).  For prevention check out http://www.foolishit.com/vb6-projects/cryptoprevent/.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

madunix (Fadi SODAH)Chief Information Security Officer Commented:
The only way is to restore files via restore point or a backup, however you could check the following:
http://www.precisesecurity.com/rogue/remove-cryptowall
Thomas Zucker-ScharffSolution GuideCommented:
the only removal/decryption is for the original cryptolocker, AFAIK.  The best info is on bleepingcomputer.  Here are some references:

Cryptolocker: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.
Cryptodefense: http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information
CTB Locker and Critoni: http://www.bleepingcomputer.com/virus-removal/ctb-locker-ransomware-information
CryptoWall: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
Coinvault: http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information

For more general cryptography information (and a more technical bent), check out this article by Giovanni Heward:

http://www.experts-exchange.com/Security/Encryption/A_12460-Cryptanalysis-and-Attacks.html

User MASQ has an excellent post on CTB-Locker as an answer to a question here.
Oleksiy GaydaCommented:
As many others have pointed out already, files encrypted by Cryptowall 3.0 cannot be decrypted (they're technically not encrypted as much as they are corrupted - for the sake of performance this variant encrypts only a small "strip" of each file, not the entire contents, but it's enough to make it unusable). If the user that got infected did not have local admin privileges on the system, you maybe be able to recover files from the Windows Shadow Copies, as Thomas suggested. If the user had admin access, CryptoWall 3.0 running with their account would have deleted and disabled the Shadow Copies and Restore Points.

Unfortunately, without having backups, the only way to get files back is to pay the ransom. However, please note that depending on the country doing so may be illegal. Since the ransom paid may go to fund illegal activities (under the Foreign Corrupt Practices Act and US Dept. Treasury's Office of Foreign Assets Control regulations) paying the ransom can potentially mean up to 30 years imprisonment and $20 million fines, if your Bitcoin payment is ever traced to funding to a criminal or terrorist organization. Just something to keep in mind, especially if you're considering paying the ransom using your company's expense accounting.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
cryptowall and variants use the current state of the art cryptography that the internet depends on with the long keys used AND current technology (even putting the file in a ramdisk) it will take decades if not longer to find the key that will decrypt 1 file even if you had the original source to compare against so unless you plan to need the file in the next millennia you can't reasonably expect to be able to decrypt it. .. The file is gone your only real choice is  restore from backup or other saved copy of the file.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.