CryptoWall 3 - how to prevent and how to decrypt?

Question

My father's computer is now infected with CryptoWall 3, according to the link below.

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#CryptoWall

Is there a way to decrypt the files? I will try to recover them but according to the link, the virus safe deletes the copies of the infected files.

What is the best way to prevent these kind of virus to infect our computers? Are there any way to prevent execution of unknown files? I was thinking about only allow execution permission on known files.

Can you tell me how you used the shadow explore to get your files after you deleted them? I didn't have any restore dates...did you? And what on your c drive did you select to export? Thanks — , Feb 22 '15 at 02:10
I also didn't have any dates. I am not sure why because my father's account is not administrator. — Akira Yamamoto, Feb 23 '15 at 14:11
I'm currently handling this for a customer who obviously didn't care of backing up their stuff on an external, cold storage. I have to tell them the bad news their files won't be recoverable. It ran for almost a day, and CryptoWall 3.0 has the ability to disable and delete VSS copies at the end of the process. I'm currently rebuilding their PCs from scratch (and putting a good backup procedure in place), but after looking into the issue the infection came from a .js email attachment. I'll be disabling Windows Script Host on their systems, as they normally never use those. — m-p-3, Apr 29 '15 at 13:46
*What is the best way to prevent these kind of virus to infect our computers?* should primarily be done by educating users, not by technical measures. Your father clicked on something he never should have done - that can be learned. — , Jun 07 '16 at 12:03

score 14 · Accepted Answer · answered Feb 04 '15 at 19:47

14

First: there's no known way to decrypt files attacked by CryptoWall. Unless you pay to get the key, they are lost forever. If you don't have offline backups, your files are lost.

One way to prevent the execution of those kind of viruses is to use whitelisting on your Windows. This can be frustrating if your father does not know how to include applications on the whitelist, and will demand a lot of time to do right, but will deny execution of any application not known.

answered Feb 04 '15 at 19:47

ThoriumBR

50,648
13
127
142

Thanks for answering. Do you know if there is a way to disallow by default the execution of new files like we can do on Linux? If I remove the execute file permission on the Download folder, will it help? – Akira Yamamoto Feb 05 '15 at 13:09
1

Whitelisting will do. If the new file is not on the whitelist, it will not be executed. Disallow execution for a folder can be found on https://superuser.com/questions/408143/how-can-i-prevent-file-execution-in-a-specific-folder-in-windows-7 – ThoriumBR Feb 05 '15 at 13:48
And we hope that the virus isn't a purely in-memory virus, like the PowerWorm, which compiles itself in memory so there is never any file to speak of to blacklist or whitelist... E.g. http://www.exploit-monday.com/2014/04/powerworm-analysis.html I guess behavioural analysis is a good approach for a security tool to employ. – David d C e Freitas Apr 07 '16 at 15:06
@DaviddCeFreitas PowerWorm **does execute** code on disk: it downloads Tor and Polipo, and executes them to contact the C&C servers. So a whitelist will deny execution of the analyzed variant. – ThoriumBR Apr 07 '16 at 15:22

SilverlightFox · Answer 2 · 2015-02-10T17:20:17.720

Is there a way to decrypt the files?

SensorsTechForum suggests to try Kaspersky’s RectorDecryptor.exe and RakhniDecryptor.exe.

However, I would not hold out much hope.

As CryptoWall is very similar to CryptoDefense, you may be able to decrypt using the method here. Unfortunately, this only really applies if you were infected before April 1st 2014.

You may also be able to get your files back from Windows Volume Shadow Copy.

What is the best way to prevent these kind of virus to infect our computers?

Install AntiVirus and keep it up to date. Microsoft Security Essentials is free, although others are available. Although this will not fully protect the system, but would be a good basic step to take.

You haven't said how this infection happened, however you should set the computer to install updates automatically. Remind users of the computer not to run things that they are not expecting to be sent to them (even those that appear to be from trusted contacts), although this can be easier said than done.

The main protection from these type of attacks should come from backup. Tools such as Dropbox can sync your important files into the cloud and if the worst should happen you would have 30 days to rollback to known good versions of files (even the free version allows this). So far there are no known attacks that attempt to clear out the version history from cloud based backup services.

Are there any way to prevent execution of unknown files? I was thinking about only allow execution permission on known files

Although Windows itself supports the notion of execute permissions, this is enabled by default on new executables. Microsoft's AppLocker can be utilised to enable whitelisting of applications. Whether this will make the computer too unusable for your average user is another question.

Another thing you could do is to use normal accounts rather than administrator accounts for using the computer. The malware tries to execute the following command:

vssadmin.exe Delete Shadows /All /Quiet

However, if the user account it is ran under does not have administrative permissions this will fail and volume shadow copies may be restorable.

Thanks. I will try these decryptors. I have now installed Avast antivirus. It removed the virus. I tried removing it manually but I could not find it. I disabled automatic updates since I got at least two problems with it, causing Windows to not start anymore. I will consider now installing updates manually. I advised my father to avoid opening emails from unknown people. I bet he got this virus from an email he opened from hotmail. I checked his browser history and I can only see youtube, facebook and hotmail. — Akira Yamamoto, Feb 05 '15 at 13:14
I read that the virus removes himself from the browser history. I don't know if this is true. — Akira Yamamoto, Feb 05 '15 at 13:20
@AkiraYamamoto: Also advise him not to open _any_ attachments, even from people you know as it could have been spoofed by a virus. If it is something you weren't expecting then delete it. If not sure, contact the sender by phone to ask them. — SilverlightFox, Feb 05 '15 at 14:33
I tried Kaspersky decryptors but they didn't work. His user account is not administrator but I could not find any shadow copy. I think it is disabled. Now I set up CrashPlan backup app. I used Dropbox successfully to restore my files. Some of his files were on Google Drive I will get them from there. Thanks — Akira Yamamoto, Feb 11 '15 at 14:23

score 4 · Answer 3 · answered Feb 10 '15 at 16:10

I might have found a way to recover your files. My laptop was infected with Crypto 3.0 last week. I removed it with SpyHunter, but I thought I lost all my files after reading all the stories on the net. I didn't have a recent back-up. And all my tries to recover the files as recommended "restore old version" and ShadowExplorer faileduntil now. I went on "Search program and files" and searched for all the files from Crypto "Help_decrypt". It will list you all the "Help_decrypt" files, which I deleted then. You have to run it thoroughly, so you really remove all the files from your computer. Afterwards I was able to recover all my files (as I can see so far) with the ShadowExplore. Easily. I am not sure, whether this was a coincidence or a solution, but it did definitely helped me. Good luck.

Hold thumbs. I am still amazed, that it worked for me. – Hope Feb 10 '15 at 16:58 — Hope, Feb 10 '15 at 16:58

score 2 · Answer 4 · answered May 21 '16 at 13:37

You can wait until the syndicate finishes their reign of terror and releases the key. For example, all the keys for TeslaDecrypt are now available, so ALL versions can be decrypted now without having to pay. I just recovered some files for a friend who kept his encrypted files from when he was attacked, and can now decrypt them all.

ESET Releases Decryptor for Recent Variants of TeslaCrypt Ransomware
TeslaDecoder can now decrypt all variants of TeslaCrypt 3.x and 4.x. This includes encrypted file extensions: .micro, .xxx, .ttt, .mp3, and encrypted files that were not renamed.

CryptoWall 3 - how to prevent and how to decrypt?

4 Answers4

Linked

Related