Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Crytowall 3.0 and How I dealt with it 2

Status
Not open for further replies.

DrB0b

IS-IT--Management
May 19, 2011
1,420
US
Hello all,
I'm going to paste the thread I posted on a different site in which I had to deal with this Ransomware and how I was able to retrieve almost all of their encrypted files. Hopefully this will help someone else out who is in a similar situation. I understand that some of these variables are unique, but the idea holds true.

"Hello all,

I am getting ready to tango with a Crypto trojan which has already infected a PC. It is a single PC in the network so no worry about cross contamination. It did have Microsoft OneDrive on it and it even encrypted those files. I'm pretty sure I can rid the PC of the bad guys and get it back to almost normal, but my question is, what to do with the encrypted mess that will be left behind?

Has anyone dealt with this first hand and were able to retrieve the encrypted files? Does anyone have any go to AV/AM tools besides the obvious that will specifically help in this situation? I imagine PCS has dealt with at least one variant of this so hopefully he had success as file retrieval....

Any help would be greatly appreciated and before you ask, no they do not have a single backup. That is what OneDrive was supposed to be for....

Thanks for reading through this and hopefully one of you gents has a card up your sleeve on this one....
"

"System Restore doesn't seem to work but removing the trojan and then trying to restore previous versions of files/folders does seem promising assuming you have it turned on: Microsoft Link"

"It was Cryptowall 3.0 or so it said. Within a day of being infected, someone tried a System Restore which kinda put a stop to it encrypting anything new that was created. It still had rogue processes running wild so the virus still existed but at least it wasn't continuing to encrypt things and most of the "Pay now or else" warnings were gone. Luckily for this client, they had System Restore enabled and I was able to retrieve files based on Previous Versions as stated in my 2nd post. From what I am reading, my case isn't exactly the norm when dealing with this guy as it is set to delete Restore points and your Previous Versions along with it so you cannot do this.

Hopefully this info helps someone. I'm not sure why this version didn't remove the Restore Points or Previous Versions of files because they were Full Administrator with UAC turned off.
"

"Also, with this version as many others, changing the ending file extension will make it seem like you have your file back but it will not load in whatever program it used to. So if you want to try an see if it works, first make a copy of whatever file and try it on that."


Just to bring out more detail in the above:
Best I could tell they did not have any AV/AM software installed pre-infection.
Within an hour of being infected, the user tried to install OMGAntivirus @ $30 a license (honestly never heard of this one) which killed off the encryption process but not after Crytowall had encrypted all of their files.
Within 6 hours, they tried a System Restore to see if they could go back before the virus. System Restore worked but they were still infected with encrypted files.
Then they called me to see what could be done.

I ran the standard AV/AM removal tools and was able to remove the virus for the most part, restored their files with Previous Versions and backed them all up. Then I did a clean OS install and reloaded their files. All seems to be in working order and out of thousands of files, I only lost 4 or 5 that didn't have previous versions to restore to or that worked.

If anyone runs into this guy and has any questions on what I did, feel free to post here and I can explain in more detail. Hopefully this helps out at least one other person dealing with this so these people do not make another dime on this scam.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
So, the key thing you mentioned is "RESTORED THEIR FILES". This is precisely what most people have a problem with. NO BACKUP to restore from. Otherwise, it's just an annoying piece of malware IF you have backup. Without backup, it's devastating ransomware that holds you and your data hostage.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
@Goomba - Correct, but there was no backup present other than them having System Restore turned on and able to use the Previous Versions feature associated with System Restore. If you do not have System Restore turned on, this method would not have worked.

This is just another lesson in why you should back up your data. As you said, it would have made this an hour long job instead of a 8hr job.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
I thought you were saying they had backup. Thus I was saying "no big deal". I'm confused. I've never used previous versions. Don't you need a backup from a windows backup to be able to use that? Thus you HAD a backup.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
If you check out that Microsoft Link in the first post, it tells all about it and how to try and use it. I had never used Previous Versions before this instance. It has no association with Windows Backup that I know of. PV is tied in with System Restore. If you have System Restore off, you cannot access any Previous Versions of files/folders. Most variations of the Cryto-virus attack System Restore points and Previous Versions usually by erasing them, thus making this fix not work. Lucky for me, either the virus wasn't "bad" enough to attack those or was thwarted by something.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Thanks for sharing, DrB0b.

I haven't dealt with this specific Ransomware, but with another similar one, I was able to use shadow copies and restore all or else 99.99999% of the files before just nuking the system and reinstalling:
[URL unfurl="true"]http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#shadow[/url]

So if one method doesn't work, perhaps another will.



"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
One thing I wonder about with the previous versions method is this: Let's say the user has a LOT of files, and they have a low limit set on system restore (chances are they'll just have it set to default, so maybe it'd be semi-safe in that regard). It seems at least possible to me that the method wouldn't work in that scenario, b/c System Restore wouldn't be allowed to use enough space necessary to create the backups. Then again if it is somehow just parts of files, and not full files, then it might still be possible. Interesting method and concept for sure.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57
 
From MS:
How is restoring previous versions from restore points different from restoring previous versions from a backup?

When you restore a previous version from a restore point, the file is already saved on your computer, so you don't have to do anything additional. If you want to restore a previous version of a file or folder from a backup, after you select the previous version and click Restore, Windows opens the Restore Files wizard, and then you follow the steps in the wizard. The drive or media that your backup is stored on needs to be available for you to restore items from a backup.


So from that we know that somewhere in or around the System Restore files is a section of Previous Version files.

Also from MS:
What are previous versions?

Previous versions are either copies of files and folders created by Windows Backup or copies of files and folders that Windows automatically saves as part of a restore point. You can use previous versions to restore files and folders that you accidentally modified or deleted, or that were damaged. Depending on the type of file or folder, you can open, save to a different location, or restore a previous version.


In my case, the Previous Versions were created by a Restore Point being created before a round of Windows Updates were implemented.

This HTG link tells a little better story than I can and sheds a lot of light on the subject:

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top