first cryptowall infection

4ycr · Apr 27, 2015

Got my first Cryptowall (3.0) infection today. Client has backup through knowhow cloud, I thought this was going to be easy.

Phoned up knowhow only to be told the only way to get previous versions was through the web interface on a file by file basis. Client has total of 15GB uploaded and over 20K files in his business folder.

Now I am not happy

Martyn · Apr 27, 2015

Wouldn't expect anything else from them. They are only interested in selling to you.

PBComputer · Apr 27, 2015

Knowhow is based on Livedrive, so you should be able to use the LiveDrive restore program to download quicker. If you go to livedrive.com and sign in with the KH details it should give you access to it.

4ycr · Apr 27, 2015

PBComputer said:
Knowhow is based on Livedrive, so you should be able to use the LiveDrive restore program to download quicker. If you go to livedrive.com and sign in with the KH details it should give you access to it.

I forgot that, will need to try it.

FremontPC · Apr 27, 2015

Just in case the trojan got interrupted or the authors got lazy, check with Shadow Explorer to see if some restore points got left behind.

4ycr · Apr 27, 2015

FremontPC said:
Just in case the trojan got interrupted or the authors got lazy, check with Shadow Explorer to see if some restore points got left behind.

I checked but they never got left.

The online login on livedrive's website redirected me and the new file just updated the knowhow program. I gave the client a quote for the work, he now doesn't want me to do it all manually, just remove the virus.

FremontPC · Apr 27, 2015

Any chance of getting in through this:

http://blog.livedrive.com/tag/desktop-software/

4ycr · Apr 28, 2015

That is where I got it from

Galdorf · Apr 28, 2015

When a customer notices that something is wrong ie get cryptowall 3.0 ransomware msg tell them to pull power cord and bring in the machine, during the encryption process it copies the file and encrypts it, then deletes the original file with data recovery software you could get back 100% of the data.
I had a customer that was hit i just did the same and recovered most of the files, longer they use the machine less chance of recovery.

4ycr · Apr 28, 2015

Thanks @Galdorf PC world were not much help but he got the virus at the weekend, and then he was referred to me through a web design company on Monday. He put a USB stick in with older files and it started to encrypt these. Took his computer back and was wondering why his USB was encrypted as well.

FremontPC · Apr 28, 2015

Yeah, best to get a sector-by-sector copy before you do anything to the original drive. If someone ends up making a decryptor, or even if the customer decides to take a chance and pay the ransom, you often need to have some or all of the files in their original positions. It may depend on a registry entry, the bitcoin address, a file in AppData, etc, etc. They all seem to do things a bit differently. There's even a new Cryptolocker fake out there called Crypt0L0cker. They're still working out the details on that one. There's yet another that both encrypts the files and infects them with a virus, so if one of those files gets on someone else's system it starts encrypting their files too.

willscomputerrepair · May 5, 2015

I have the harddrive to a customers computer infected with the Cryptowall 3.0. Of course it has sentimental pictures on it for the customer, so I took the harddrive out of the system and put it on a shelf and said if they make a fix for it then I'll recover the files. Then I moved to the next job lol

first cryptowall infection

4ycr

Well-Known Member

Martyn

Well-Known Member

PBComputer

Well-Known Member

4ycr

Well-Known Member

FremontPC

Well-Known Member

4ycr

Well-Known Member

FremontPC

Well-Known Member

4ycr

Well-Known Member

Galdorf

Well-Known Member

4ycr

Well-Known Member

FremontPC

Well-Known Member

willscomputerrepair

Member

Similar threads