Cryptowall Rising

I found buying the Bitcoin and actually sending it to the thief pretty interesting. That whole scenario is fraught with potential failure.

.
 
Anyone know if there is a way to determine if this is spreading in your internal network? I run a computer repair shop and I had one computer come in with the crypto 2.0 variant and over the weekend I came in and other computer on the bench had just started the encryption process as I noticed it create the text documents in the user directory. I unplugged it from the network just wondering if there is a way to determine if I have been compromised. Thanks!
 
GreenTechTrevor said:
Anyone know if there is a way to determine if this is spreading in your internal network?
Click to expand...
"CryptoWall and Network Shares

CryptoWall will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CryptoWall will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoWall."

Ref: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

That is what is being said and seen on Cryptowall 2.0. However, if you are witnessing a new variant? This thing has been a moving target since the original threat popped on the scene. I'd pull the HDD on your bench PC and see if there are any viruses on it and if any of the files are encrypted. Sounds like you should investigate this a bit closer.

.
 
BTW - I had 2 Cryptowall infections in my shop in the past few days and they did not encrypt network shares on our LAN when they were infected and connected.

.
 
Ok will do! Thanks.

Wheelie said:
"CryptoWall and Network Shares

CryptoWall will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CryptoWall will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoWall."

Ref: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

That is what is being said and seen on Cryptowall 2.0. However, if you are witnessing a new variant? This thing has been a moving target since the original threat popped on the scene. I'd pull the HDD on your bench PC and see if there are any viruses on it and if any of the files are encrypted. Sounds like you should investigate this a bit closer.

.
Click to expand...
 
GreenTechTrevor said:
Ok will do! Thanks.
Click to expand...
Either way please let us know what you are seeing. If this thing has taken that kind of turn we all need to know about it so the other networked customer PC's are not hit by this thing. That could get ugly to say the least!

.
 
Ya I am not sure yet. I first got one PC in the shop with the Crypto 2.0. Then another machine came down with the same infection a day later and I am not sure if it came in with those symptoms at all. Then today after the weekend a 3rd PC started acting weird while I was backing it up to our server and I looked into the public folder and it had JUST started encrypting the My Music folder. It has been here for 3 days and I know it didn't have it when it arrived nor were we browsing the web or doing anything on this PC besides running a malware scan. Non of these machines were mapped to the server and I am pretty sure it started with just the 1. All speculation but I will keep looking into it and see what I can come up with. Thanks Again.
 
Doubt I could get my cheap boss to buy anything like that. Now if one of our repair machines gives him some nasty infection then I will have some ammo. :P

I can't wait to open my own shop. 11 bucks a hour for what I do feels like a rip off especially when I had to be M$ and A+ Certified. That's besides the point tho, me just venting lol.
 
Has anyone actually figured out the best scanner to remove the virus? I have one computer in the shop right now completely powered down because the past 8 hours I have tried running multiple scanners over and over which have removed the virus before. MBAM, HMP, ESET, however, all of this, I have yet to remove it this time. It is still in the stages where the previous versions are still there, so I dont want to waste time and let the virus continue to infect the computer. I have already made a backup as well just in case. Anyways, I just am looking for a scanner that will definitely remove this virus and allow me to restore their data.
 
rjg.tech said:
Has anyone actually figured out the best scanner to remove the virus?
Click to expand...
Cryptowall? I have never removed the virus. In every case I repartitioned, reformatted, and reloaded from scratch. Why risk it with such a serious threat? :confused:

.
 
Browsing a few assorted forums, Kaspersky Rescue CD 10 has a Windows Unlocker function, allegedly effective against Cryptowall; this is unconfirmed as of yet. (Not sure if Cryptowall 2 is also detected/removed)

MBAM Premium (pay version) is also reported to detect/remove it, but, it would be nice to know if the free version will as well.

Last, but not least, Youtube shows some version of Cryptowall being removed manually from the registry, but, the effectiveness of this would depend on the stupidity of the deploying offender actualy leaving a reference to the word "Cryptowall" in the registry, which, seems unlikely, but, here's a link just in case..... . https://www.youtube.com/watch?v=8Ggc424eTAQ
 
Note that removing the virus is NOT the same as decrypting the files. From what versions I have seen the virus is relatively easy to remove. Decrypting the files will require the services of a Supercomputer and years to work on it.

There is no and can never be a magic remove the encryption process. If you don't have the key you don't have access period.
 
Yeah after removing the flash drive from the infected computer, I formatted it 10 times to ensure that its gone.

I write zeros just to make my self comfortable that the virus is gone. I am sure a quick format is ok, but zeroing removes it all.
 
You must log in or register to reply here.

Similar threads

D
[WARNING] Medusa Ransomware Attack on Milano Salon
Replies
8
Views
629
HCHTech
HCHTech
YeOldeStonecat
Lenovos new ThinkPad X9 series
Replies
4
Views
503
twwabw
twwabw
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
997
trevm999
trevm999
britechguy
Beware when setting up a fresh copy of Windows 11
Replies
3
Views
970
britechguy
britechguy
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
149
callthatgirl
callthatgirl
Back
Top