Clients Computer has encrypted files by Cryptowall 3.0 Ransomware - any chance to decrypt, or pay only? No backup available.

Status
Not open for further replies.

uplink-svk

Honorable
Mar 9, 2013
110
0
10,710
26
Hi there guys,

My client got his files encrypted by Cryptowall 3.0. Now I'm waiting for bitcoin to arrive to his wallet. In the meantime, I wanted to ask You, is there any chance to decrypt the files without prior software and key?

Cryptowall is 2048 encryption system, using hashed password on server side, and deletes itself after encrypting certain files on target computer.

There's no residue remaining after the attack besides message in each folder, with "how to pay ransom" instructions,

Please advise,

Humble regards

uplink

P.S.: Ransom is 480 euro...
 

reedo_43

Distinguished
Feb 18, 2010
670
0
19,910
109
There is no way and I also heard if you pay the ransom, the encryption key will not work anyway. Hopefully he has some backup! Sorry for the luck, saw this twice already and could do nothing about it. I did a lot of research on it as well.
 

mcnumpty23

Distinguished
Jul 15, 2011
583
0
19,210
85
and from what i read about it

When CryptoWall 3.0 encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original

so the original has been deleted as an unencrypted file

therefore data recovery software has a good chance of finding and recovering the original file?
 

uplink-svk

Honorable
Mar 9, 2013
110
0
10,710
26
Hi there guys,

Thank You for Your high activity. Problem is that files encrypted are on ReadyNAS on raid1, with ext4 file system. NAS didn't do any copies [coz there are way too many files] and Windows doesn't do any shadow copies on Network Attached Storage :(
 

mcnumpty23

Distinguished
Jul 15, 2011
583
0
19,210
85


not looking good then :(

problem is as mentioned if you pay up theres no guarantee they will actually give you the key needed

they might even think well they paid once lets tell them they need to pay more

apart from that its important to remove the ransomeware completely and run full checks in case it also installed any other software

this sort of thing is why i always tell people if its important make back ups in 3 different locations--one of which must be able to be kept isolated from the pc

 

uplink-svk

Honorable
Mar 9, 2013
110
0
10,710
26
I just [adjective removed] up. I bought only 1.9 BTC, and had to buy 1.90001 for some stupid fee to MultiBitHD :/ damn.

Thank You guys for Your support!

I'll have to buy more bitcoin than :( and hope for the best.



Btw. this is how it looks like, when You got effed in Your ass with a huge 100% all-beef thermometer :\

//edit: deleted url and wallet transaction iD, just to be sure :\
 

rgd1101

Polypheme
Moderator
hey, it bitcoin, it might go up again :)

Anyway, someone in our company(not tom's) got hit a few months ago. Lucky is not a power user(not much important save locally), although it does got to some network drive. We have nightly backup, so we didn't pay up.

 

uplink-svk

Honorable
Mar 9, 2013
110
0
10,710
26
rgd1101 - and You did well :).

Though, I still don't understand the concept of whole situation. Isn't ransomware suppose to chew up only on Windows FS based systems? ReadyNAS is Unix/Linux based geared up with ext4. There are 16+ computers in the company network, all untouched. It must've ran from one of those, or? I thought that ransomware client needs an encrypted channel to server, so it can send data both ways, and needs a windows os plus some libraries to work. Or I get it wrong? Ransomware is some "magical" multi-system software, that works everywhere? Coz I still don't understand, how come it stopped, for some time. How come it didn't chew up system and stuff? It only crunched on .doc, .docx, .pdf and that's pretty much it. I'm kind of clueless here :??:
 

rgd1101

Polypheme
Moderator
It encrypted files/file system the infested pc have access to. The infested pc itself is the encrypt-er.

Now you just need to make sure all of them are clean.

because data are important, os/programs can be reinstall.
 

uplink-svk

Honorable
Mar 9, 2013
110
0
10,710
26
rgd1101 - thank You. That's a good call. I will change the NAS pwds asap [so no one will be able to access NAS anymore, only those with new pwd]. Now it's being cloned by Acronis True Image, to external HDD, just in case the decryption went south, so other files - those not yet encrypted will be safe.
 

bkkkk1

Estimable
Oct 21, 2015
2
0
4,510
0


Hi!
I just got this nightmare of a virus this evening and I have extremely important files on my laptop. There is no back up or way to restore. Did the decryption key work once you paid them?
 

Daniel_45

Estimable
Oct 22, 2015
2
0
4,510
0
Yes, if you Pay the Ransom you will get your files back. no guarantees, but i just had to do it and it works. i know, i am contributing to the problem but i had no choice. the company wasn't monitoring their backup and everything was encrypted. that said, they will be more diligent on monitoring their backup. but it is a nightmare. buying bitcoins was probably the worst part. its just an uneasy process if you use bitquick.co.

however, the terrorists that receive the money have every reason to want to give you your data. if they didn't, then people wouldn't pay because word would get out. I hope they rot in hell with the money i sent.
 

Isabela_1

Estimable
Oct 22, 2015
5
0
4,510
0



Daniel, I was also victim In this attack, You'll Pay OR hakckers already paid OS ? We had OS files back?
 

bkkkk1

Estimable
Oct 21, 2015
2
0
4,510
0


Hi,

I haven't paid yet but am considering it. What are OS files? Did you pay?
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
H Antivirus / Security / Privacy 10
L Antivirus / Security / Privacy 6
R Antivirus / Security / Privacy 3
S Antivirus / Security / Privacy 14
R Antivirus / Security / Privacy 1
C Antivirus / Security / Privacy 2
K Antivirus / Security / Privacy 2
K Antivirus / Security / Privacy 1
K Antivirus / Security / Privacy 8
G Antivirus / Security / Privacy 3
T Antivirus / Security / Privacy 2
eman2002826 Antivirus / Security / Privacy 5
R Antivirus / Security / Privacy 2
D Antivirus / Security / Privacy 6
J Antivirus / Security / Privacy 3
A Antivirus / Security / Privacy 3
W Antivirus / Security / Privacy 13
P Antivirus / Security / Privacy 2
S Antivirus / Security / Privacy 1
Z Antivirus / Security / Privacy 1

ASK THE COMMUNITY