-
2
- #1
Hello all,
I'm going to paste the thread I posted on a different site in which I had to deal with this Ransomware and how I was able to retrieve almost all of their encrypted files. Hopefully this will help someone else out who is in a similar situation. I understand that some of these variables are unique, but the idea holds true.
"Hello all,
I am getting ready to tango with a Crypto trojan which has already infected a PC. It is a single PC in the network so no worry about cross contamination. It did have Microsoft OneDrive on it and it even encrypted those files. I'm pretty sure I can rid the PC of the bad guys and get it back to almost normal, but my question is, what to do with the encrypted mess that will be left behind?
Has anyone dealt with this first hand and were able to retrieve the encrypted files? Does anyone have any go to AV/AM tools besides the obvious that will specifically help in this situation? I imagine PCS has dealt with at least one variant of this so hopefully he had success as file retrieval....
Any help would be greatly appreciated and before you ask, no they do not have a single backup. That is what OneDrive was supposed to be for....
Thanks for reading through this and hopefully one of you gents has a card up your sleeve on this one....
"
"System Restore doesn't seem to work but removing the trojan and then trying to restore previous versions of files/folders does seem promising assuming you have it turned on: Microsoft Link"
"It was Cryptowall 3.0 or so it said. Within a day of being infected, someone tried a System Restore which kinda put a stop to it encrypting anything new that was created. It still had rogue processes running wild so the virus still existed but at least it wasn't continuing to encrypt things and most of the "Pay now or else" warnings were gone. Luckily for this client, they had System Restore enabled and I was able to retrieve files based on Previous Versions as stated in my 2nd post. From what I am reading, my case isn't exactly the norm when dealing with this guy as it is set to delete Restore points and your Previous Versions along with it so you cannot do this.
Hopefully this info helps someone. I'm not sure why this version didn't remove the Restore Points or Previous Versions of files because they were Full Administrator with UAC turned off."
"Also, with this version as many others, changing the ending file extension will make it seem like you have your file back but it will not load in whatever program it used to. So if you want to try an see if it works, first make a copy of whatever file and try it on that."
Just to bring out more detail in the above:
Best I could tell they did not have any AV/AM software installed pre-infection.
Within an hour of being infected, the user tried to install OMGAntivirus @ $30 a license (honestly never heard of this one) which killed off the encryption process but not after Crytowall had encrypted all of their files.
Within 6 hours, they tried a System Restore to see if they could go back before the virus. System Restore worked but they were still infected with encrypted files.
Then they called me to see what could be done.
I ran the standard AV/AM removal tools and was able to remove the virus for the most part, restored their files with Previous Versions and backed them all up. Then I did a clean OS install and reloaded their files. All seems to be in working order and out of thousands of files, I only lost 4 or 5 that didn't have previous versions to restore to or that worked.
If anyone runs into this guy and has any questions on what I did, feel free to post here and I can explain in more detail. Hopefully this helps out at least one other person dealing with this so these people do not make another dime on this scam.
Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
I'm going to paste the thread I posted on a different site in which I had to deal with this Ransomware and how I was able to retrieve almost all of their encrypted files. Hopefully this will help someone else out who is in a similar situation. I understand that some of these variables are unique, but the idea holds true.
"Hello all,
I am getting ready to tango with a Crypto trojan which has already infected a PC. It is a single PC in the network so no worry about cross contamination. It did have Microsoft OneDrive on it and it even encrypted those files. I'm pretty sure I can rid the PC of the bad guys and get it back to almost normal, but my question is, what to do with the encrypted mess that will be left behind?
Has anyone dealt with this first hand and were able to retrieve the encrypted files? Does anyone have any go to AV/AM tools besides the obvious that will specifically help in this situation? I imagine PCS has dealt with at least one variant of this so hopefully he had success as file retrieval....
Any help would be greatly appreciated and before you ask, no they do not have a single backup. That is what OneDrive was supposed to be for....
Thanks for reading through this and hopefully one of you gents has a card up your sleeve on this one....
"
"System Restore doesn't seem to work but removing the trojan and then trying to restore previous versions of files/folders does seem promising assuming you have it turned on: Microsoft Link"
"It was Cryptowall 3.0 or so it said. Within a day of being infected, someone tried a System Restore which kinda put a stop to it encrypting anything new that was created. It still had rogue processes running wild so the virus still existed but at least it wasn't continuing to encrypt things and most of the "Pay now or else" warnings were gone. Luckily for this client, they had System Restore enabled and I was able to retrieve files based on Previous Versions as stated in my 2nd post. From what I am reading, my case isn't exactly the norm when dealing with this guy as it is set to delete Restore points and your Previous Versions along with it so you cannot do this.
Hopefully this info helps someone. I'm not sure why this version didn't remove the Restore Points or Previous Versions of files because they were Full Administrator with UAC turned off."
"Also, with this version as many others, changing the ending file extension will make it seem like you have your file back but it will not load in whatever program it used to. So if you want to try an see if it works, first make a copy of whatever file and try it on that."
Just to bring out more detail in the above:
Best I could tell they did not have any AV/AM software installed pre-infection.
Within an hour of being infected, the user tried to install OMGAntivirus @ $30 a license (honestly never heard of this one) which killed off the encryption process but not after Crytowall had encrypted all of their files.
Within 6 hours, they tried a System Restore to see if they could go back before the virus. System Restore worked but they were still infected with encrypted files.
Then they called me to see what could be done.
I ran the standard AV/AM removal tools and was able to remove the virus for the most part, restored their files with Previous Versions and backed them all up. Then I did a clean OS install and reloaded their files. All seems to be in working order and out of thousands of files, I only lost 4 or 5 that didn't have previous versions to restore to or that worked.
If anyone runs into this guy and has any questions on what I did, feel free to post here and I can explain in more detail. Hopefully this helps out at least one other person dealing with this so these people do not make another dime on this scam.
Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
