[SOLVED] Recovery of encrypted files by Cryptowall Ransomware

mlcomputers

mlcomputers

Active Member
Reaction score
160
Location
The Vendee, France
Has anybody had any success in recovering the files encrypted by a ransomware infection called Cryptowall?

I have a customer with a Windows XP computer that is about to be replaced, however when saving her files I found that none could be opened. There are warning messages explaining that the computer has been encrypted with instructions on how to pay the ransom.

This is the first instance of a ransomware encrytion that I have come across.

Any help would be appreciated.

Jason
 
If it is Cryptolocker you might have some luck here:

https://www.decryptcryptolocker.com/

However that is only good on keys created before the raid and is no help with the many variants out there.

If that is the case there is NOTHING short of a NSA supercomptuer and lots of time that will help you crack the encryption.

The only option is to eat it or pay the ransom and hope you don't get robbed.
 
I have done some further research and apparently the Cryptowall ransomware deletes the original files first before creating new files and encrypting them. I will try a data recovery first to see if I can retrieve the original files. I will keep you updated.

Should have said copies files first, encrypts the copies and then deletes the originals. Sorry.

Jason
 
Last edited:
Not to be pedantic, but if they delete the original files first, from what do they create the new files which they then encrypted?
 
Somewhere a scriptkiddie virus writer just went:

the-simpsons-d-oh-mini-posters-71133.jpg
 
After cloning the original drive.

I have managed to recover a lot of data that was stored in archive folders as attachments by the customer in Outlook Express. The Outlook express identities data was not encrypted in any way. So thankfully for her some very important files are now recovered.

Re the deleted files comment I was only going by some info that I found on the Internet. This is the first crypto locker type infection that I have encountered on a customers computer.
 
Last edited:
mlcomputers said:
Apparently the cryptowall infection makes a copy of the files first encrypts them and then deletes the original!

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

The customer stopped using the computer immediately so I may be lucky and can recover some of the deleted files.
Click to expand...

I would expect it works through the files sequentially, copying, encrypting and deleting each one in turn, rather than copying all of the files first, running the risk of filling the user's drive in the process. If that's the case, I doubt you'd be able to recover much more than the last few files it processed unfortunately; the rest will probably have been overwritten.
 
I don't know if CryptoWall behaves the same as CryptoBit, but the latter encrypts just the headers of each encrypted file, so it can race through them all quickly. Here's a thread on how to decrypt such infected files if that is the technique used.
 
Resolved

Ran a full data recovery today and have retrieved a huge amount that was not in the Outlook Express Archives. Most importantly the majority of her photos and family videos. Although not everything the customer is very happy not to have lost the lot which was the worst case scenario... Have lost the vast majority of word and excel documents, but PDF files ok.

Thank you to those who posted some positive assistance in helping me with this issue!!
 
Last edited:
Any updates on this as had my first experience of this variant today "Cryptowall" I cannot do anything to remove it. Unfortunately client has not backed up data since 2009!

So of course all restore points have been disabled - seems nothing but the original key that these idiots have encrypted the drive with is the only solution.

No use backing up infected data, so it means all outlook profiles are fubar as well.

As they say, SOOL im afraid.:mad: Trying a recovery now, don't think it will do much good but worth a try i suppose.

I saw this on my explorations- unsure if it may be of any help to ppl whom know, or if it is valid -

"I used a traffic analyzer to catch the traffic and saved traffic in cap file, opened with hex editor to copy a key which your computer sends to the server, this key is needed to decrypt files, then I used a decrypter to decrypt all his files, like business data, pictures and videos"
 
Last edited:
I had two customers with cryptowall at my store.

The first computer whenever I plugged the network cable, I checked the task manager and they were 20+ of dllhost.exe *32 Com Surrogate that devoured all their RAM. I disconnected and that brought the cpu down to 0%

Running malwarebytes didnt do anything. Rkill wouldnt find anything, neither combofix or nod32.

I ran shadowexplorer and found copies of their data from the same month. Took me an entire day to restore their data.

The second client, who was a existing customer, I had her old hard drive in my closet and I was able to restore the pictures from that after cryptolocker encrypted her whole drive. Shadowexplorer got some of her files, but not her pictures.

I zeroed both drives and reinstalled the os. Customers were happy.

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

http://www.shadowexplorer.com/downloads.html
 
Last edited:
frase said:
"I used a traffic analyzer to catch the traffic and saved traffic in cap file, opened with hex editor to copy a key which your computer sends to the server, this key is needed to decrypt files, then I used a decrypter to decrypt all his files, like business data, pictures and videos"
Click to expand...

Not much. There are some variants of Cryptolocker that create the key on the computer that is infected. But it is the first act that the virus does. You'd have to have your scanner on at the time of infection in order to get that key. Because once the key is successfully created and transmitted to the server the key is deleted. (Older versions of this variant didn't do that but the authors quickly corrected their mistake.) SO I find such claims that people have captured the key dubious at best. It has been done in lab experiments, as there are youtube videos of it, but not in real life.
 
pcmedicri said:
I had two customers with cryptowall at my store.

The first computer whenever I plugged the network cable, I checked the task manager and they were 20+ of dllhost.exe *32 Com Surrogate that devoured all their RAM. I disconnected and that brought the cpu down to 0%

Running malwarebytes didnt do anything. Rkill wouldnt find anything, neither combofix or nod32.

I ran shadowexplorer and found copies of their data from the same month. Took me an entire day to restore their data.

The second client, who was a existing customer, I had her old hard drive in my closet and I was able to restore the pictures from that after cryptolocker encrypted her whole drive. Shadowexplorer got some of her files, but not her pictures.

I zeroed both drives and reinstalled the os. Customers were happy.

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

http://www.shadowexplorer.com/downloads.html
Click to expand...

yea tried shadow Explorer but was blank when I ran it, as restore was disabled I suppose.
Also of note, restore previous version option not available on vista.
 
Last edited:
You must log in or register to reply here.

Similar threads

britechguy
Favorite "Quick and Dirty" Linux Distro
Replies
13
Views
1K
phaZed
phaZed
Romaniac
[REQUEST] Ensuring OS integrity after cloning from a failing HDD - Data Recovery
2
Replies
26
Views
4K
seashore
seashore
britechguy
You've been scammed (social engineering)!
Replies
9
Views
1K
Nathan Igo
Nathan Igo
pcpete
data recovery encrypted hfs+ files system mac
Replies
7
Views
1K
Markverhyden
Markverhyden
phaZed
[SOLVED] How to uninstall Forticlient AV that was installed from EMS management dashboard?
Replies
2
Views
17K
Your PCMD
Your PCMD
Back
Top