Photoshop contests at Mechapixel | Forums
 
The golden bit is back!
Gain exclusive benefits and help support Mechapixel with Mecha+
Learn more - Subscribe
HomeContestsQueueShowcaseArcadeForumsMembersAboutContact
'Bungasaurus' by CheekyMunky
Go Back   Mechapixel Forums > Main > Aarkie's Corner
Post New Thread Reply
Thread Tools
Unread 2014-11-12, 17:16   #1
aarkieboy's Avatar
aarkieboy
Moderator

Feb 5 2003
86,080 posts
Age 63
Male
Somewhere on this ball we call "Earth"
 



I've worked on a lot of infected computers, but this is the worst. Not so much that I couldn't get cryptowall out, but there's no way, at present, to decrypt the owner's files...

CryptoWall 2.0 is a new variant of ransomware. It infects a computer, then if not removed immediately it encrypts the user's files. Word files, text files, openoffice files, a whole bunch of different file formats. You're supposed to pay to get your file's decrypted, thus the ransomware tag. And the ransom is usually from $500 to $1000. After infection, the user sees this:

Click the image to open in full size.

Right now, all the major malware sites like malwarebytes, bleeping computer, symantec, kaspersky, etc say you either pay up or kiss your files goodbye. They are recommending not to pay as this just propagates this type of hacker activity. The main problem is in the simplicity of the malware. The decrypter is indeed only for the infected machine, thus a general fix program for decryption will not work.

Malwarebytes and several other malware/virus programs will remove CryptoWall. But they only remove, and cannot repair, the encrypted files.

This is from bleepingcomputer.com:
What should you do when you discover your computer is infected with CryptoWall

If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CryptoWall is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with CryptoWall.

Is it possible to decrypt files encrypted by CryptoWall?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.
Anti-virus programs were no good at detection of this either. However, virus definitions are reported to be forthcoming forthwith.

My friend didn't lose much of anything they couldn't live without. But like most people they didn't backup and thus backups aren't available. File recovery tools are available, but can be expensive. I tried Shadow Volume copies but no luck. Apparently, the virus removed previous restore points.

So that's what I've been up to today.
My SignatureDisplay Signature Reply With Quote
Unread 2014-11-12, 18:45   #2
NocturnalGuy's Avatar
NocturnalGuy
Mecha+ Member

Oct 22 2003
5,160 posts
Age 47
Male
T.O.
 



Ugh.
Reply With Quote
Unread 2014-11-12, 22:55   #3
b0rg9's Avatar
b0rg9
Mecha+ Member

Jan 6 2004
9,854 posts
Age 54
Male
clearwater, FL
 



Damn. And here I am sitting all fat, dumb and happy with MS Security Essentials.

I don't explore the wild wooly west of internetland and I don't even use any SMTP email anymore so I feel a sense of security. But probably a false sense.
Reply With Quote
Unread 2014-11-13, 2:03   #4
Dinahmoehum's Avatar
Dinahmoehum
Member

Nov 1 2004
6,169 posts
Age 61
I'm Oprah Rich!
 



I keep telling people to back up the computer, do they listen?
Reply With Quote
Unread 2014-11-13, 9:01   #5
RepoMan's Avatar
RepoMan
Moderator

Jun 24 2003
33,228 posts
Age 50
Male
On the trails
 



These software restriction policies that disallow these archive attachments from being run from an email seem like a good idea (BleepingComputer)

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.


This really sucks. Russia: we make all this money through crime and we're STILL low rent scumbags.
Reply With Quote
Unread 2014-11-13, 11:01   #6
Dinahmoehum's Avatar
Dinahmoehum
Member

Nov 1 2004
6,169 posts
Age 61
I'm Oprah Rich!
 



I'm going to save that. I just had this old ladies laptop that was all fucked up. I sent her friend this video from Leo on tips to lock it down. Unfortunately getting rid of java and flash will break most websites. But yea, he is right, idiot users running on full admin privileges is the main problem.
https://www.youtube.com/watch?v=VfCRuDGxM8M
Reply With Quote
Unread 2014-11-13, 11:26   #7
aarkieboy's Avatar
aarkieboy
Moderator

Feb 5 2003
86,080 posts
Age 63
Male
Somewhere on this ball we call "Earth"
 



BleepingComputer also recommends this program that will change privileges for you.

I put it on my machines last night. No ill effects that I can tell so far.

Cryptoprevent

Current Version: 7.4.8 released Nov 13th 2014

CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista, 7, 8, 8.1, and 10) to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.

Incidentally, due to the way that CryptoPrevent works, it actually protects against a wide variety of malware, not just Cryptolocker!

Scroll all the way down for download:

Click the image to open in full size.

The damage to my friend's files is even more severe than I first thought. Cryptowall encrypted their photos, pdfs, text files, office files, open office files...really bad shit.
My SignatureDisplay Signature Reply With Quote
Unread 2014-11-13, 11:35   #8
RepoMan's Avatar
RepoMan
Moderator

Jun 24 2003
33,228 posts
Age 50
Male
On the trails
 



Looking into ^^^ This kind of thing could wreck a business. Like Dinah said, backup backup backup, but it's a guarantee that many will not do that.
Reply With Quote
Unread 2014-11-13, 13:43   #9
b0rg9's Avatar
b0rg9
Mecha+ Member

Jan 6 2004
9,854 posts
Age 54
Male
clearwater, FL
 



Hey Aarkie, which setting did you use in Cryptoprevent? Also, are you running 7 or 8?
Reply With Quote
Unread 2014-11-13, 16:30   #10
RepoMan's Avatar
RepoMan
Moderator

Jun 24 2003
33,228 posts
Age 50
Male
On the trails
 



Some more advanced uses of Software Restriction Policies, whitelisting:

From the NSA: https://www.nsa.gov/ia/_files/os/win..._Using_SRP.pdf

And:

http://community.spiceworks.com/how_...ocker-and-more

These are specifically for Group Policies but it should apply to Local Security Policies for home PCs that aren't on a domain. The difference from blacklisting is that if the Cryptowall jerks change where there program(s) executes from, that bypasses the blacklist.

Depending on how extreme you want to be, you can really lock down a system where only programs you specify can run from specific locations. It could be useful if you're supporting a problem child who always manages to get infected with the latest and greatest (and we all have at least one ) Of course it'll probably increase the number of calls and emails saying "I can't install my new free screensavers!"
Reply With Quote
Unread 2014-11-13, 16:56   #11
aarkieboy's Avatar
aarkieboy
Moderator

Feb 5 2003
86,080 posts
Age 63
Male
Somewhere on this ball we call "Earth"
 



Right now I've got it set at "maximum protection" on an old XP machine and 2 laptops running 7 pro. Thought I'd try that first and if gives problems to other software I'd back it down a notch.
My SignatureDisplay Signature Reply With Quote
Unread 2014-11-13, 17:14   #12
RepoMan's Avatar
RepoMan
Moderator

Jun 24 2003
33,228 posts
Age 50
Male
On the trails
 



Cool, I think I may take that over to my parents' this weekend.
Reply With Quote
Unread 2014-11-14, 1:49   #13
aarkieboy's Avatar
aarkieboy
Moderator

Feb 5 2003
86,080 posts
Age 63
Male
Somewhere on this ball we call "Earth"
 



Here's another Crypto-Ransomware prevention tool, also recommended by BleepingComputer. It's free and it's from SurfRite the makers of HitmanPro. I've installed it also, in conjunction with CryptoPrevent.

"SurfRight has developed a free tool called CryptoGuard that is designed to detect certain behaviors that encrypting ransomware exhibits and block the malware. Instead of containing definitions for each ransomware, CryptoGuard will instead monitor processes on the computer and if it detects behavior that is similar to how an encrypting ransomware would act, it blocks the process from running."

Download it from here.
My SignatureDisplay Signature Reply With Quote
Go Back   Mechapixel Forums > Main > Aarkie's Corner > Good friend's computer got hit by CryptoWall 2.0 virus, been working on it
Post New Thread Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT -5. The time now is 3:49.

Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.