Cryptowall 3.0?

willscomputerrepair · Mar 1, 2015

or was it 2.0..... Starting to forget. I had a past customer that brought in a desktop with a cryptovirus. They wanted to save the pictures. I gave them the bad news that at the time, the only thing you could really do was try your luck at paying the "ransom" but even then most people dont get their stuff back like they claim.

So what I did was replaced their entire harddrive, installed windows so they could at least use their computer. I kept their harddrive at my store in hopes one day a fix will be made to recover these pictures. I know other versions of ransomware has had fixes come out. Hopefully I can save the day soon with these pictures.

altrenda · Mar 1, 2015

willscomputerrepair said:
or was it 2.0..... Starting to forget. I had a past customer that brought in a desktop with a cryptovirus. They wanted to save the pictures. I gave them the bad news that at the time, the only thing you could really do was try your luck at paying the "ransom" but even then most people dont get their stuff back like they claim.

So what I did was replaced their entire harddrive, installed windows so they could at least use their computer. I kept their harddrive at my store in hopes one day a fix will be made to recover these pictures. I know other versions of ransomware has had fixes come out. Hopefully I can save the day soon with these pictures.

From what I can tell, and have experienced, paying the ransom does get you access to the files again. But, the process is sketchy as hell and not for the faint of heart.

pceinc · Mar 1, 2015

I agree with altrenda. We had a client who was willing to pay the ransom. We guided them through the process of purchasing the bitcoins. When they were prompted to upload an image of their drivers license and a 2nd photo ID, they backed out. We eventually recovered the files from the server shadow copies.

Matthew Bradley · Mar 1, 2015

Had 5 in the last 10 days. Half of these I was able to retrieve data by doing a complete scan with EaseUS Data Recovery. Apparently after this new revision deletes all the shadow copies, it makes a copy of the original file first; encrypts the "new" file and deletes the old one. Depending on the activity since the infection, you can locate these deleted files. As luck has it, the clients with the most critical data were the ones I could save.

Krynn72 · Mar 5, 2015

What are you guys charging for recovering files like this? And do you charge anything if you're unable to get it? We've had a few people get it, and just told them to try a data recovery place if they really needed it.

Romaniac · Mar 6, 2015

It's definitely worth a shot checking shadow copies and the likes. It doesn't take too much time, and I've had success with 2/3 somewhat recently.

You may as well do a scan for deleted files - you never know. Just because the virus may be 'shredding' files and deleting shadow copies, doesn't mean it always does or that your client caught that version.

There's not much to lose, and a LOT to gain.

pceinc · Mar 6, 2015

We've had 3 Cryptolocker checkins today. There is a lot of discussion on the Continuum forums about this as well. Other MSP's seeing more activity.

Dave 1973 · Mar 11, 2015

Has anyone used Shadow Explorer to recover Cryptowall files ? Do you put the recovered files on an external drive until the system is cleaned up ?

unclemarv · Mar 11, 2015

Dave 1973 said:
Has anyone used Shadow Explorer to recover Cryptowall files ? Do you put the recovered files on an external drive until the system is cleaned up ?

Dave... I've recovered files using shadow copy... did copy to an external drive first. The customer also had carbonite backup. We got about halfway through the shadow copy restore before "things" started to happen. Ended up recovering the rest from the previous versions within carbonite. Took a long time.. but they got about 90-95%

CompConfig · Mar 11, 2015

I am going to ask this here because I have read several contradictory answers from more than a few places.

If we take an image of a HD saved to a NAS drive and we then encrypt that image does that make that image safe from the crypto variants?
I have read in more than one place that if an image is already encrypted it is then safe as it can't be encrypted again. I have also read in a couple of other places that it is still at risk. Does anyone know the "real" answer?

JustInspired · Mar 11, 2015

CompConfig said:
I am going to ask this here because I have read several contradictory answers from more than a few places.

If we take an image of a HD saved to a NAS drive and we then encrypt that image does that make that image safe from the crypto variants?
I have read in more than one place that if an image is already encrypted it is then safe as it can't be encrypted again. I have also read in a couple of other places that it is still at risk. Does anyone know the "real" answer?

I don't know the real answer for the above question but...
To not have to worry about it, I'd create a separate user on the NAS for backups only. Create a shared folder that only this 'backup user' has permissions for.
Insert the credentials for this backup user into the imaging software. I know Macrium Reflect has this option to impersonate a user so other brands of imaging software probably do as well.

Crypto can't access the share so no worries.

Dave 1973 · Mar 11, 2015

unclemarv said:
Dave... I've recovered files using shadow copy... did copy to an external drive first. The customer also had carbonite backup. We got about halfway through the shadow copy restore before "things" started to happen. Ended up recovering the rest from the previous versions within carbonite. Took a long time.. but they got about 90-95%

Thanks Uncle Marv ! I have a customer with a lot of pictures he would love to recover. I think I will try the portable version of Shadow Explorer and transfer the files to an external drive.

HFultzjr · Mar 11, 2015

Pull the drive.
Clone the drive.
Beat the he!! out of the clone with recovery tools.

Also, when you get a clone, always good to save an extra "original" clone for future attempts.

Good luck

Dave 1973 · Mar 11, 2015

HFultzjr said:
Pull the drive.
Clone the drive.
Beat the he!! out of the clone with recovery tools.

Also, when you get a clone, always good to save an extra "original" clone for future attempts.

Good luck

OK, Thanks !!

frederick · Mar 13, 2015

HFultzjr said:
Pull the drive.
Clone the drive.
Beat the he!! out of the clone with recovery tools.

Also, when you get a clone, always good to save an extra "original" clone for future attempts.

Good luck

Pretty much what we do. Typically we'll make two clones, one to trial and error on, and the other is the "original" that we can use to either recover from our oops or edit as we find things that shouldn't be there.

unclemarv said:
Dave... I've recovered files using shadow copy... did copy to an external drive first. The customer also had carbonite backup. We got about halfway through the shadow copy restore before "things" started to happen. Ended up recovering the rest from the previous versions within carbonite. Took a long time.. but they got about 90-95%

Sometimes the cloud (carbonite) copies are good and other times they are not. Carbonite has been one of our worst when it comes to this, many times because we find out that the carbonite app hasn't been working for weeks or, someone turned it off cause they didn't know what it was. (how do you not know what something is when you paid for it????) We've averaged decent recoveries with carbonite when they worked, about 80-95%. The number of systems that came in with a non-working carbonite app has been a solid 1 out of every 10.

If anything, CryptoWall and CryptoLocker have increased our sales of our flagship backup solution.

Moltuae · Mar 13, 2015

CompConfig said:
I am going to ask this here because I have read several contradictory answers from more than a few places.

If we take an image of a HD saved to a NAS drive and we then encrypt that image does that make that image safe from the crypto variants?
I have read in more than one place that if an image is already encrypted it is then safe as it can't be encrypted again. I have also read in a couple of other places that it is still at risk. Does anyone know the "real" answer?

A file is a file, no matter whether it's already encrypted or not. Encryption just scrambles the data; no reason (that I can think of) that it can't be scrambled further with another layer of encryption.

JustInspired said:
I don't know the real answer for the above question but...
To not have to worry about it, I'd create a separate user on the NAS for backups only. Create a shared folder that only this 'backup user' has permissions for.
Insert the credentials for this backup user into the imaging software. I know Macrium Reflect has this option to impersonate a user so other brands of imaging software probably do as well.

Crypto can't access the share so no worries.

This ^^

Just give the credentials of the NAS user account to Reflect. It's never a good idea to allow permanent user-level access to backups, even without the threat of crypto-locking viruses.

If the backup software doesn't do network logon, I would usually create a short script (such as a simple batch file or T-SQL, depending on what's being backed up) to log on to the network backup storage, execute the backup, then disconnect from network again, minimising the exposure time. It's a good idea to schedule the scripts to run as a different user too, so that the logged in user account never has access to the backup store.

ell · Mar 29, 2015

I've only run across crypto 3.0 twice, this time her critical data was on her flash drive, I was partially successful with easeus recovery getting two of the four files back for her, I assume shadow explorer won't work for fat32 flash drives so I'm kind of stuck unless anybody has any other ideas, I tried reflect too, the doc files I need are there but encrypted.

willscomputerrepair · Mar 30, 2015

Thanks for all the replies, sorry checking this so late. So far to help this customer, I installed a new harddrive in their desktop and reloaded windows with their coa, kept their original harddrive with their name/number labeled on it. I want to help this guy get his pictures back, so I will clone this drive and get down to the nitty gritty. Just glad that most of yall were able to do it! Woohoo

tf76 · Jun 3, 2015

I was lucky on one of my latest clients PC. They had Vista Ultimate and it wouldn't start. Fixed the boot issue and retrieved old versions of files from the previous versions feature.
They had family photos going back to 2003. They were very distraught about it and were very happy when I came to the rescue and rescued those photos for them

Cryptowall 3.0?

willscomputerrepair

Member

altrenda

Well-Known Member

pceinc

Active Member

Matthew Bradley

Active Member

Krynn72

Well-Known Member

Romaniac

Active Member

pceinc

Active Member

Dave 1973

Active Member

unclemarv

Member

CompConfig

Active Member

JustInspired

Well-Known Member

Dave 1973

Active Member

HFultzjr

Well-Known Member

Dave 1973

Active Member

frederick

Well-Known Member

Moltuae

Rest In Peace

ell

Well-Known Member

willscomputerrepair

Member

tf76

Active Member

Similar threads