Infected with Cryptowall (Cryptolocker / Cryptodefense variant) anyone run into this?

D

drnick5

Active Member
Reaction score
122
Hey Folks,

A client of mine called this morning saying their shared drive was "acting funny". I remoted in and saw a bunch of files names "decrypt_instruction" in the folders on the share (a .htm file, a .txt file and a shortcut). none of the files on the share would open. looking this up, it seems like they were hit with Cryptowall.

We tracked down which computer it seemed to come from, but the strange thing is that that the computer itself shows no other signs of infection. (the user didn't see a popup asking to pay the ransom or anything). After looking through the registry, I don't see anything related to cryptowall or other variants. The only evidence I have is the files on the share not working. this user is on a domain with folder redirection which I believe may have saved them here.

We were able to restore all the files from the shadow copies (we also have backup as well to fall back to). I've run the Eset rogue application remover that I found in a blog post about this infection, but it found nothing. I also ran the Microsoft malicious software removal tool which found nothing as well. We use Viper managed anti virus through GFI which didn't pick this up, i'm running a further deep scan now. but I haven't been able to find any traces of how this got on the computer on the first place. Her user account also doesn't seem to be effected (I'm guessing due to folder redirection)

Has anyone come across a cryptowall type infection like this? It's as if the infection got in, encrypted the files (or at least tried to) left the 3 "decrypt_instruction" files in each folder and then deleted itself.
 
Have not run across cryptowall. But as I understand it cryptolocker only displays the ransom message when it has finished encrypting everything it can see/find. So maybe it had not finished encrypting everything for some reason.
 
Thats whats sort of strange, from what I can tell it started about 9am and stopped about 10:30am. I don't see any more of these decrypt_instruction files being created after that. (the entire hare was encrypted at this point).

I just now found 1 file buried in the temporary internet files that appears to be where this came from. It looks like to be a zip file that claims to be a fax.
 
Claiming to be a fax

drnick5 said:
Thats whats sort of strange, from what I can tell it started about 9am and stopped about 10:30am. I don't see any more of these decrypt_instruction files being created after that. (the entire hare was encrypted at this point).

I just now found 1 file buried in the temporary internet files that appears to be where this came from. It looks like to be a zip file that claims to be a fax.
Click to expand...

I have read that some of these things claim to be voice mails in emails. Maybe a fax could be a variant on that idea. Something someone would be fooled into opening without a second thought.
 
Last edited:
I read over on the Malwarebytes forums that some variants try to start vssadmin then delete all existing shadow copies before they start on the encryption. Doesn't sound good!
 
Mick said:
I read over on the Malwarebytes forums that some variants try to start vssadmin then delete all existing shadow copies before they start on the encryption. Doesn't sound good!
Click to expand...

That is true. The setting "Prevent execution of potentially damaging system files" in recent versions of CryptoPrevent will prevent execution of vssadmin.exe and a few other things to prevent it from deleting your shadow copies.

In fact I'm actually preparing a new version of CryptoPrevent (v6) if anyone wants to test it out. It isn't just a group policy based app any longer there are some new protections in place that may help mitigate some new variants of crypto- stuff though I have not personally tested it against anything yet.
 
Quick question, is anyone installing Cryptoprevent free on peoples computers and then leaving it as is without any customization or notification to the client that its installed.

I would like to either do that or put the premium version but not get the customer involved with configs or adding to their fear of adding something extra. I still got customers who wont upgrade their MBAM because they think its a virus. :rolleyes:
 
I do, all the time. That, plus CryptoGuard, as a matter or routine.

Edit: I put in my invoice that I installed them, but I don't think customers actually read the details.
 
NYJimbo said:
Quick question, is anyone installing Cryptoprevent free on peoples computers and then leaving it as is without any customization or notification to the client that its installed.

I would like to either do that or put the premium version but not get the customer involved with configs or adding to their fear of adding something extra. I still got customers who wont upgrade their MBAM because they think its a virus. :rolleyes:
Click to expand...

While the intention is good, i think that has the potential to be a "slippery" move... if you tell a client that you installed some specific protection against ransomware in their computer, there are chances that in the future that protection fails at some point and the client files get encrypted for ransom. Imagine who they will gonna try to held responsible...
 
Last edited:
AlexCa said:
While the intention is good, i think that has the potential to be a "slippery" move... if you tell a client that you installed some specific protection against ransomware in their computer, there are chances that in the future that protection fails at some point and the client files get encrypted for ransom. Imagine who they will gonna try to held responsible...
Click to expand...

The same could be said about any protective measures, including antivirus. The key is to manage expectations. I always explain to my customers that the portective measures I put in place will make it harder to get infected, but no security is 100%.
 
Infected with Cryptowall (Cryptolocker / Cryptodefense variant) anyone run in...

I must have gotten lucky when I ran into the two cryptowall infections a couple weeks ago.

1. Scanned and removed all malware with our normal programs.
2. Used "everything search" by voidtools to select and delete all the decrypt instruction .txt files in the computer.
3. Restored all previous versions of folders with encrypted files in them.

Each job took about 2 hours or less and customer was very happy that all data was usable and computer was tuned up.

All of the success of these jobs banked on the "previous versions" still being in good working order. I am sure I will come across a cryptowall that damages the previous versions but so far so good.
 
Last edited:
You must log in or register to reply here.

Similar threads

britechguy
iPhone: Anyone ever encountered one that's infected?
Replies
11
Views
416
Markverhyden
Markverhyden
HCHTech
Quickbooks Enterprise 2024 multi-user issues
Replies
7
Views
766
Markverhyden
Markverhyden
britechguy
Anyone ever seen this particular malicious beast before?
Replies
6
Views
656
britechguy
britechguy
HCHTech
Permission Hell
Replies
12
Views
1K
Sky-Knight
Sky-Knight
Appletax
[REQUEST] Free Version of Outlook Keeps Reinstalling
2
Replies
20
Views
2K
britechguy
britechguy
Back
Top