We help IT Professionals succeed at work.

How to bust Cryptowall 3.0 Ransomware?

Alyork
Alyork asked
on
Hi.

Had a client open what looked like a legitimate email and clicked on the .zip file.

By the time I was called it was way too late.  All the document and database type files on the workstation were encrypted and locked, and so were all the files on the Server shares.

The Server was a no brainer. Restored all the drives from the last backups with no files lost.  

This nasty piece of work walked walk through the Sonicwall and the local AV software like it didn't exist.

It turned out to be the new variant of Cryptowall v 3.0.

So my question is, does anyone have any ideas, short of paying their extortion fee, on how to get the workstation files back. The user was doing the work on her workstation and not considering putting them on the Server.

None of the techniques that worked with the earlier varient of Cryptowall work with 3.0.

The workstation is Windows XP Pro, and please retrain from pointing out that MS is not generally supporting XP anymore.  

Thanks - Al
CryptoWall-3.0.pdf
Comment
Watch Question

NVITEnd-user support

Commented:
Salvage what data you can, if possible. Then, nuke and repave that station
Top Expert 2016

Commented:
no you're done.. the files are gone
Most Valuable Expert 2013
Commented:
Yep, if you have no backup your options are pay the ransom or waste several years on brute force decryption. With ransomware generally prevention is the better option suggest locking down some user access as described here
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

There is some progress on cracking the newer variants but getting users to behave responsibly with Trojans is still the weak point that is being exploited.

Reduced network permissions and early reporting can save at lot of grief.
EirmanChief Operations Manager
Commented:
clicked on the .zip file
If file extensions are showing, that in itself would not cause the ransomware to be installed.
Running the contents of the zip file probably would.

The odds are that windows is set to the unfortunate default where file extensions are hidden.
Your client probably unwittingly ran one of these ....
Filename.zip.pif
Filename.zip.com
Filename.zip.exe
Filename.zip.bat
Fuller List

This is also essential reading on the above and the UNITRIX Exploit.
http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

You should consider installing
http://www.foolishit.com/vb6-projects/cryptoprevent/cryptoprevent-auto-update/
Commented:
Once encrypted only a restore will help. If there are no image files or backups for the workstation there is little you can do.

For future prevention, OpenDNS Umbrella is one of the best products I know of to prevent these nasty crypto attacks.

Krompton
Most Valuable Expert 2013

Commented:
@Krompton, isn't Umbrella more of a DNS filtering service?  While it could potentially spot drive-by infection sites, I can't see how it could prevent a user getting infected with a trojan via an email attachment like Al's did.

Commented:
Yes, it is dns. It can't block the Trojan, however it prevents that trojan from being able to connect to their server and starting the encryption. Search opendns faq about the crypto viruses. They really are about the best protection right now for this.

Krompton
LeeTutorretired
Top Expert 2009

Commented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
EirmanChief Operations Manager

Commented:
No solution was possible. The OP did not engage any further with EE and abandoned this question.
Plenty of useful information was provide and I don't think it should be consigned to 'the ether'.
NVITEnd-user support

Commented:
...to the OP's question regarding ransomware
> ...does anyone have any ideas, short of paying their extortion fee, on how to get the workstation files back

All answers given by ID: 40693241, ID: 40693261, ID: 40693273, ID: 40693436, ID: 40693845 agree on one thing: There is no way to get the files back.

Suggestions on prevention were given by ID: 40693273, ID: 40693436, and ID: 40693845