Cryptowall Rising

Wheelie

Wheelie

Active Member
Reaction score
34
A business customer two weeks ago had it and we paid the 1 Bitcoin ransom to get his data back. Then two customers were hit last week with it but they did not want their data back so I wiped and reloaded the OS on those. Then today I have had 2 phone calls with customers that are infected Cryptowall. One said "it sucks but just do a wipe and reload" and the other is emailing her boss in DC to ask if her MS Access databases are critical and should they pay the ransom (she was almost crying as we just hung up). Exactly none of these people had any current backups :(
 
Exactly none of these people had any current backups
Click to expand...

And you are surprised by this? :o

I have an appt. this week to go onsite to help a client backup her Quickbooks. The last backup was sometime in May. Something funny happened between then & now and her flash drive is not recognized.

Funny how backups are "out of sight, out of mind" for *most* people.

The other thing is that if I need to bring a pc back to the shop for service, I get;

"How long will it take? I can't be without my computer, can't be without access to my files..." :rolleyes: and of course, no backup, or one within the last six months.

I'm sure you all get the same thing. People, especially business owners/managers amaze me.
 
katz said:
And you are surprised by this? :o

I have an appt. this week to go onsite to help a client backup her Quickbooks. The last backup was sometime in May. Something funny happened between then & now and her flash drive is not recognized.

Funny how backups are "out of sight, out of mind" for *most* people.

The other thing is that if I need to bring a pc back to the shop for service, I get;

"How long will it take? I can't be without my computer, can't be without access to my files..." :rolleyes: and of course, no backup, or one within the last six months.

I'm sure you all get the same thing. People, especially business owners/managers amaze me.
Click to expand...

Pretty much dead on. It's extremely rare that I run into a client that already has a backup in place and when they think they do, I come to find it the last backup was at least 6 months prior or isn't even working properly.

Sometimes you can recommend a backup plan until you are blue in the face but unless they go through something like this they will never learn.

**Knock on Wood** Still haven't run into this myself but I wanna be prepared if and when it happens.
 
Had a customer hit by this last week, CryptoWall 2.0. It's being spread by the Yakes / Asprox Trojan dropper, which gets in using drive-by download methods. Machines that are most at risk are one with old software, such as old versions of Java, Flash, Chrome, and of course, no antivirus. It spreads via other methods too. I was able to successfully recover a clients data with shadow explorer. Worth a try.

My advice to anyone who is seeing this new variant, remove it QUICKLY. The Yakes portion is contracted out in the black market, to install additional Trojans within a certain time frame after the elapsed time for getting their encrypted files back. DO NOT leave your thumb drive in for too long. Lol. [emoji38] I speak by experience. I left this clients machine on from Saturday afternoon to Monday morning, came back and thumb drive was destroyed, in place of my tools and files were shortcuts to "porn.exe" which infects the machine with the Kellihose botnet.

I actually thought it was quite amusing. I thought, "who needs a shortcut to porn.exe?"
 
Last edited:
I feel bad saying this but as a data recovery professional and bitcoin investor, I'm kind of rooting for the virus...

Is that bad??? :confused:
 
I was under the impression that the new iteration of Cryptowall infects shadow volumes as well.

That being said, I had a really bad situation with a client two weeks ago. She is an attorney and her office shares a mapped dropbox folder...and they share folders with people outside the firm (really?!). Someone took their phone to Verizon to transfer some data and the "tech" opened an .exe file from her email containing Cryptowall. Que Dropbox Zombie Apocalypse.
 
Yup, getting alot of Crypto Wall all over the US and Canada.

I even had to break the news to a customer that not only was their Quickbooks encrypted, but because their backup drive was ALWAYS LEFT CONNECTED TO THE COMPUTER the backups were encrypted as well.

They need to enter transactions manually from April forward ....
 
It's not as bad as you think the key can be recovered sometimes using a method of packet analysis and some imitators leave private key on your disk ,pretty easy really if it's the real thing your SOL.
2nd method is to hack the hackers to retrieve the key which could be fun and educational once you nab their database put up a free sever to decode peoples stuff use it like advertising for your business site.
Problem is Tor i think it needs to go it's used too much for nefarious purposes sooner or later someone is going to shut it down due to amount of child porn users hiding behind it.
 
Last edited:
Galdorf said:
Problem is Tor i think it needs to go it's used too much for nefarious purposes sooner or later someone is going to shut it down due to amount of child porn users hiding behind it.
Click to expand...

Thats like saying get rid of guns and cars and knives because too many people kill other people with them.

Get rid of stupidity <- gets my vote
 
Galdorf said:
Whats so funny i have recovered cryptowall 2 private keys this way and decrypted customers machines.
Click to expand...

Can you please detail how you are doing this? Feel free to create a private thread in Technician's Eyes Only and link to it from here, if you are worried the creator will see the documented bug. However, this discovery will greatly help the community. I was able to use shadow explorer to get one of my clients data back. It was a pain and I had to restart the transfer several times, but I manages to get all of their files back.

I assume you're using Wireshark to packet sniff? What intervals are the packets communicated? And what do they look like? Do they have a standard header that can be used to identify them?
 
Wheelie said:
Either you are on to something very big or you have no clue what you are talking about.

.
Click to expand...

It's soo big that I think he could be possibly drowning in by now, if you get my drift. I think it flows backwards in Australia, if you need more... well I dropped a few in the porcelain this morning. It's been along day :confused:
 
dealing with a couple right now. I have been re formatting my usb after using them on a machine. Is that necessary?

both this week have been cryptowall 2.0 of course no backup. so that is fun. One had nothing important so they said reformat. at least that makes that one easier.
 
You must log in or register to reply here.

Similar threads

D
[WARNING] Medusa Ransomware Attack on Milano Salon
Replies
8
Views
629
HCHTech
HCHTech
YeOldeStonecat
Lenovos new ThinkPad X9 series
Replies
4
Views
503
twwabw
twwabw
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
997
trevm999
trevm999
britechguy
Beware when setting up a fresh copy of Windows 11
Replies
3
Views
970
britechguy
britechguy
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
149
callthatgirl
callthatgirl
Back
Top