How to bust Cryptowall 3.0 Ransomware?

Hi.

Had a client open what looked like a legitimate email and clicked on the .zip file.

By the time I was called it was way too late.  All the document and database type files on the workstation were encrypted and locked, and so were all the files on the Server shares.

The Server was a no brainer. Restored all the drives from the last backups with no files lost.  

This nasty piece of work walked walk through the Sonicwall and the local AV software like it didn't exist.

It turned out to be the new variant of Cryptowall v 3.0.

So my question is, does anyone have any ideas, short of paying their extortion fee, on how to get the workstation files back. The user was doing the work on her workstation and not considering putting them on the Server.

None of the techniques that worked with the earlier varient of Cryptowall work with 3.0.

The workstation is Windows XP Pro, and please retrain from pointing out that MS is not generally supporting XP anymore.  

Thanks - Al
CryptoWall-3.0.pdf
AlyorkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
Salvage what data you can, if possible. Then, nuke and repave that station
David Johnson, CD, MVPOwnerCommented:
no you're done.. the files are gone
☠ MASQ ☠Commented:
Yep, if you have no backup your options are pay the ransom or waste several years on brute force decryption. With ransomware generally prevention is the better option suggest locking down some user access as described here
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

There is some progress on cracking the newer variants but getting users to behave responsibly with Trojans is still the weak point that is being exploited.

Reduced network permissions and early reporting can save at lot of grief.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

EirmanChief Operations ManagerCommented:
clicked on the .zip file
If file extensions are showing, that in itself would not cause the ransomware to be installed.
Running the contents of the zip file probably would.

The odds are that windows is set to the unfortunate default where file extensions are hidden.
Your client probably unwittingly ran one of these ....
Filename.zip.pif
Filename.zip.com
Filename.zip.exe
Filename.zip.bat
Fuller List

This is also essential reading on the above and the UNITRIX Exploit.
http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

You should consider installing
http://www.foolishit.com/vb6-projects/cryptoprevent/cryptoprevent-auto-update/
KromptonCommented:
Once encrypted only a restore will help. If there are no image files or backups for the workstation there is little you can do.

For future prevention, OpenDNS Umbrella is one of the best products I know of to prevent these nasty crypto attacks.

Krompton
☠ MASQ ☠Commented:
@Krompton, isn't Umbrella more of a DNS filtering service?  While it could potentially spot drive-by infection sites, I can't see how it could prevent a user getting infected with a trojan via an email attachment like Al's did.
KromptonCommented:
Yes, it is dns. It can't block the Trojan, however it prevents that trojan from being able to connect to their server and starting the encryption. Search opendns faq about the crypto viruses. They really are about the best protection right now for this.

Krompton
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
EirmanChief Operations ManagerCommented:
No solution was possible. The OP did not engage any further with EE and abandoned this question.
Plenty of useful information was provide and I don't think it should be consigned to 'the ether'.
NVITEnd-user supportCommented:
...to the OP's question regarding ransomware
> ...does anyone have any ideas, short of paying their extortion fee, on how to get the workstation files back

All answers given by ID: 40693241, ID: 40693261, ID: 40693273, ID: 40693436, ID: 40693845 agree on one thing: There is no way to get the files back.

Suggestions on prevention were given by ID: 40693273, ID: 40693436, and ID: 40693845
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.