CryptoWall 3.0 infection and subsequent questions

Hi Experts

Client was hit with CryptoWall 3.0 last week. They very quickly identified the PC that had been compromised and disconnected it from the network. They then wiped that PC and rebuilt it.

The user of that PC was an Office Admin and had very little access to the network so only about 4,000 files for encrypted and are not inaccessible.

The client has gone ahead with the purchase of Bit Coin and paid the $500 ransom. They were given a download link for the decryption process. They ran a virus scan on the ZIP file they were given and sure enough the 'decrypt.exe' file was infected with a Trojan and their AV tool removed it from the ZIP. What is left in the ZIP is the 'public.key' and 'private.key' files.

Unfortunately their IT had misconfiguration their backups an they do not have a recent enough copy of these files. The files they need are business critical.

Is there any way for the files to be decrypted with other software, now that they have the private.key file?

Thanks
Mark
LVL 13
Mark GalvinManaging Director / Principal ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
There are some indications that if you indeed get that ZIP file, it will decrypt the files as it should, That it is a Trojan, you'll have to take for granted.
Disconnect PC from the network.
Clone hard disk (just in case the Trojan does more damage. Or make an image.)
Use the decrypt.exe to decrypt the files. Copy the files to another USB device (this device should not contain important files, and has to be scanned by another computer after using it on this PC).
Do another full antivirus sweep on the computer (scan externally, as in USB/DVD boot from a reputable antivirus vendor)
Check if files are decrypted properly. If more damage has been done, there's no solution, restore backup image (sadly, also no decrypted files), or clone disk back.

As for the keys, it's a good step, but it's not enough to know how the files were supposed to be decrypted. The keys are just a small part of a bigger puzzle.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andreasSystem AdminCommented:
no idea about 3rd party decryption software which can use the keys to decrypt.

Yous hould wait for other experts opionios and only use this approach if no other working solution is given.

But you could setup an offline box with linux, setup another virtual machine inside that offline box install a windows OS into that virtual host. Then put all the encrypted files and the trojan decryptor there together with the keys and try to decode this way.

Push the files to the shared folder of the virtual machine to the host OS (Linux)

Check there if there are additional exe files, also check the decrypted files for suspecious modifications, like embedding of malware.

Be sure to NEVER giv this system any online access

Afterwards remove the VM with the compromised windows.

one drawback remains you cannot be sure the decryptor will not place any malicious things into the decrypted files you cannot easy detect. The bigger the decryptor app is the more chance is that it may contain other things it might put inside the decrypted files.

As this machine is offline the eventually embedded malicious content can only be from the decryptor.exe itself.

I would NOT use the decryptor on a non virtualized windows on real hardware. It might put some backdoors into the UEFI/BIOS or other places in the firmware of HDDs etc. so it will even survive a rebuild.
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi Kimputer

Will try that first. Makes sense.

Will let you know next week how it goes.

thanks
Mark
btanExec ConsultantCommented:
since they planted the malware even after payment, likewise I also see no trust in their decryptor per se. if the true RSA 2048 is true as cryptowall is supposed to do. the private.key is likely good if we can change it into .pem and use openssl to try decrypt the encrypted files.

But I try to see that .key file to see if it is even encrypted. E.g. To identify whether a private key is encrypted or not, view the key using a text editor or command line. If it is encrypted, then the text ENCRYPTED appears in the first line. It is protected by a passphrase or password.

For instance, an encrypted private key is like below
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,84E01D31C0A59D1F

... compared to an un-encrypted key will have the following format:
—–BEGIN RSA PRIVATE KEY—–
………………………………………..
………………………………………..
…………………………………..
—–END RSA PRIVATE KEY—–

So assume it is in the PEM Base64 format, at least they do not go to extend to cheat user (hopefully), we can try to decrypt. We can do a check on the formatting of the private key e.g. openssl rsa -in private.key -check

If that is alright, we may even want to derive the public key from private.key for assurance though we also have the public.key e.g. openssl rsa -in private.key -out publicDerived.key -outform PEM -pubout

supposedly, to decrypt the ciphertext file is via e.g. openssl rsautl -decrypt -inkey private.key -in <LOCKEDFILE.EXT> -out <DECRYPTED.EXT> (just need to named them accordingly). This may be useful in case the cipher file is in base64 format e.g.
openssl enc -in <LOCKEDFILE.EXT> -out binarytext -d -a
openssl rsautl -decrypt -in binarytext -out <DECRYPTED.EXT> -inkey private.key

http://ubuntuforums.org/showthread.php?t=1705426

better to duplicate the files while we trying all these in separate machine
Mark GalvinManaging Director / Principal ConsultantAuthor Commented:
Hi

Tested this and it worked on a handful of files. Prior to tool they wouldn't open. After running to tool in a closed system the files opened.

Running the tool within the closed system but on the 120GB of files that were locked.

thanks
Mark!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.