It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Cryptowall 3.0 ransomware switches to anonymous I2P network
page: 5share:
a reply to: Quadlink
I take it you mean "cryptoprevent" from the link below
www.fooli.../vb6-projects/cryptoprevent
To be honest this "CryptoPrevent" looks dodgy as hell and like Arbitrageur pointed out could quite possibly come from the same type of nefarious individuals responsible for the CryptoLocker maleware in the firstplace.
Also if you read the info provided this only claims to protect up to variant "v2", i take it that means 2.0. The current iteration of the virus, and the one responsible for the infection of my machine is the 3.0 variant.
Cheers for the advice mate but i dont see this CryptoPrevent helping matters regarding file decryption, in fact i imagine it could quite possible make matters worse by way of additional infection.
Do you have personal experience of using said software/program?
I take it you mean "cryptoprevent" from the link below
www.fooli.../vb6-projects/cryptoprevent
To be honest this "CryptoPrevent" looks dodgy as hell and like Arbitrageur pointed out could quite possibly come from the same type of nefarious individuals responsible for the CryptoLocker maleware in the firstplace.
Also if you read the info provided this only claims to protect up to variant "v2", i take it that means 2.0. The current iteration of the virus, and the one responsible for the infection of my machine is the 3.0 variant.
Cheers for the advice mate but i dont see this CryptoPrevent helping matters regarding file decryption, in fact i imagine it could quite possible make matters worse by way of additional infection.
Do you have personal experience of using said software/program?
edit on 18-1-2015 by andy06shake because: (no reason given)
OP, if you still haven't done anything with the drive or files, try this - I did this on a couple of laptops that were infected with the last
iteration of this virus, and it recovered the non-corrupt versions (our network was corrected as well - we had to restore backups):
If running system restore (and most computers do - it's on by default), you can open system restore, click on "other dates", then minimize that - then browse to your my documents folder, pictures etc.. right-click and you will see a "restore a previous version" option. Restore a version prior to infection - that should restore unencrypted files.
I restored all data for 2 employees using this method. Good luck!
If running system restore (and most computers do - it's on by default), you can open system restore, click on "other dates", then minimize that - then browse to your my documents folder, pictures etc.. right-click and you will see a "restore a previous version" option. Restore a version prior to infection - that should restore unencrypted files.
I restored all data for 2 employees using this method. Good luck!
a reply to: fleabit
You sure it was cryptowall and not cryptodefense? Some people get those confused. You're the first person I've seen suggest that method would work with cryptowall, and I've been reading a lot of tech blogs like the one below.
Here's one of the better analyses of cryptowall, which says he was able to recover about 95% of his client's files, but not using the method you described. It looks like the success rate might depend on how much drive space is free which would influence how many of the deleted files would be overwritten and thus not recoverable, at least using the method described here:
CryptoWall Encrypted File Recovery and Analysis
You sure it was cryptowall and not cryptodefense? Some people get those confused. You're the first person I've seen suggest that method would work with cryptowall, and I've been reading a lot of tech blogs like the one below.
Here's one of the better analyses of cryptowall, which says he was able to recover about 95% of his client's files, but not using the method you described. It looks like the success rate might depend on how much drive space is free which would influence how many of the deleted files would be overwritten and thus not recoverable, at least using the method described here:
CryptoWall Encrypted File Recovery and Analysis
As a disclaimer with all file recovery some files may not be recoverable if the slack space was overwritten. In each separate case, file recovery will depend on how many files were encrypted, and how much free space the drive had before it had to start overwriting old slack space for new files...
In my client’s case I was able to recover approximately %95 of the files
a reply to: fleabit
Fleabit, seems the virus "Cryptowall 3.0" disables or deletes your Windows restore points and also deletes the shadowcopys of the associated encrypted files after it enters in to the second stage(ransom goes up). So a system restore really was not an option. The information and files that were encrypted on my other drives i have left alone(anything i could not replace that is). However as of yet i have been unable to retrieve or decrypt any of those files.
The maleware in question "cryptowall 3.0" is gone, its the results im attempting to deal with(file encryption).
Fleabit, seems the virus "Cryptowall 3.0" disables or deletes your Windows restore points and also deletes the shadowcopys of the associated encrypted files after it enters in to the second stage(ransom goes up). So a system restore really was not an option. The information and files that were encrypted on my other drives i have left alone(anything i could not replace that is). However as of yet i have been unable to retrieve or decrypt any of those files.
The maleware in question "cryptowall 3.0" is gone, its the results im attempting to deal with(file encryption).
edit on 19-1-2015 by
andy06shake because: (no reason given)
originally posted by: Arbitrageur
a reply to: fleabit
You sure it was cryptowall and not cryptodefense? Some people get those confused. You're the first person I've seen suggest that method would work with cryptowall, and I've been reading a lot of tech blogs like the one below.
Here's one of the better analyses of cryptowall, which says he was able to recover about 95% of his client's files, but not using the method you described. It looks like the success rate might depend on how much drive space is free which would influence how many of the deleted files would be overwritten and thus not recoverable, at least using the method described here:
CryptoWall Encrypted File Recovery and Analysis
As a disclaimer with all file recovery some files may not be recoverable if the slack space was overwritten. In each separate case, file recovery will depend on how many files were encrypted, and how much free space the drive had before it had to start overwriting old slack space for new files...
In my client’s case I was able to recover approximately %95 of the files
It was cryptowall 2 - it had not turned off the restore points. I don't believe it does. At least the variation we had did not. : )
Andy, sorry to hear the new version turned off your restore points - lots of the more recent common malware does the same thing (and bluescreens if you try to go into safemode). I really hate this virus on a network.. just takes one non protected client to screw up a lot of stuff in a hurry.
a reply to: andy06shakeThe United States Computer Emergency Reddiness Team US-CERT, an official website of the Department of
Homeland Security has provided this site to help protect your computer from such attacks as indicated in this thread. The URL reference is included
below.
US-CERT
US-CERT
a reply to: machineintelligence
Cheers for the info mate but im in the UK and to be honest i really dont wish to have anything to do with such a nefarious organisation as the Department of Homeland Security.
Cheers for the info mate but im in the UK and to be honest i really dont wish to have anything to do with such a nefarious organisation as the Department of Homeland Security.
a reply to: andy06shake
It's a bit dated, talking about how to secure the IE7 browser, etc.
But aside from being out of date, the advice for when it was written is surprisingly good, much like you'd get from a security site that has nothing to do with US gov't. For example, they recommend the use of noscript on Firefox, which is pretty good advice, but using it properly is a lot harder than just installing it.
They also mention 2 of the 3 methods I know of that cryptowall infections can occur, Java and opening e-mail attachments.
They don't mention flash vulnerabilities, though they do mention keeping your software updated which if you do that with flash and java, might help. However if you believe Adobe and Oracle that every single version of flash and java they have ever made is insecure except the current version, you'd have to be a fool to think the current version is secure. When the next version comes out they'll be saying that one too has more holes than Swiss cheese and you need to upgrade for security reasons. This is why I don't install those apps at all where security is a priority.
It's a bit dated, talking about how to secure the IE7 browser, etc.
But aside from being out of date, the advice for when it was written is surprisingly good, much like you'd get from a security site that has nothing to do with US gov't. For example, they recommend the use of noscript on Firefox, which is pretty good advice, but using it properly is a lot harder than just installing it.
They also mention 2 of the 3 methods I know of that cryptowall infections can occur, Java and opening e-mail attachments.
They don't mention flash vulnerabilities, though they do mention keeping your software updated which if you do that with flash and java, might help. However if you believe Adobe and Oracle that every single version of flash and java they have ever made is insecure except the current version, you'd have to be a fool to think the current version is secure. When the next version comes out they'll be saying that one too has more holes than Swiss cheese and you need to upgrade for security reasons. This is why I don't install those apps at all where security is a priority.
edit on 26-1-2015 by Arbitrageur because: clarification
a reply to: Arbitrageur
In my case my money would be on Java, or some other maleware variant. You know the score, go to some sites and you are presented with the old chestnut "Your version of Java is out of date please click here to update". Lo and behold two clicks later your infected with some nasty sucker. My bets one of my kids or my Mrs ether done the above on my rig or there own connected to my network.
In my case my money would be on Java, or some other maleware variant. You know the score, go to some sites and you are presented with the old chestnut "Your version of Java is out of date please click here to update". Lo and behold two clicks later your infected with some nasty sucker. My bets one of my kids or my Mrs ether done the above on my rig or there own connected to my network.
a reply to: andy06shake
Yes i am a 28 years microsoft cert engineer and use it on all my systems, if you look at what it does with group policy etc it can help alot in conjunction with a good AV like antivir, esp to folks who are not Tech proficient
Security is high on my priorities and i check everything before active application, i install and test on VM machines
before i roll it out on my systems
Yes i am a 28 years microsoft cert engineer and use it on all my systems, if you look at what it does with group policy etc it can help alot in conjunction with a good AV like antivir, esp to folks who are not Tech proficient
Security is high on my priorities and i check everything before active application, i install and test on VM machines
before i roll it out on my systems
a reply to: andy06shake
Next time, you know NOT to go online with an useraccount that has root/admin privileges and I say it did not skipped right by your firewall and your antivirus. Unless some service/tool running on your machine (with admin priv) was exploited and even then most of that useless software firewalls would spawn a popup for you at least. Is your UAC deactivated?
Next time, you know NOT to go online with an useraccount that has root/admin privileges and I say it did not skipped right by your firewall and your antivirus. Unless some service/tool running on your machine (with admin priv) was exploited and even then most of that useless software firewalls would spawn a popup for you at least. Is your UAC deactivated?
Why doesn't the FBI infect a random computer, pay the extortion fee, and follow the money trail? I mean, you know they have the capability of tracking
a dollar anywhere. Alphabet agencies should find where these people are, and let the CIA drop a predator missile on their locale...
On second thought, this Crypto malware was probably developed by a government as a 'tax' on the non tech folks in the world.
On second thought, this Crypto malware was probably developed by a government as a 'tax' on the non tech folks in the world.
edit on
3/12/2015 by EternalSolace because: (no reason given)
Hello! I sympathize with you!
I was faced with such a problem because of the Cerber ransomware (encrypted photos that can not be corrected) . I was very angry! I treated a laptop as advised on this site:
nabzsoftware.com...
Now everything works well))
I was faced with such a problem because of the Cerber ransomware (encrypted photos that can not be corrected) . I was very angry! I treated a laptop as advised on this site:
nabzsoftware.com...
Now everything works well))
a reply to: KindFairy
I see a "free" version and a "Pro" download link, did you have to use the "Pro" version and if so how much did that cost you?
Someone posted a different software solution that you had to pay for and I couldn't tell if it was being sold by the same folks that were circulating the malware.
I see a "free" version and a "Pro" download link, did you have to use the "Pro" version and if so how much did that cost you?
Someone posted a different software solution that you had to pay for and I couldn't tell if it was being sold by the same folks that were circulating the malware.
I have a coworker whose computer got hit. One of her functions is sales....so it sucked pretty bad for us. She keeps a lot of paper files, and we
scan and email stuff all the time as a "backup". So she recovered almost everything, except her calender on her outlook.
ive never had a virus on any computer that I used exclusively.
ive never had a virus on any computer that I used exclusively.
a reply to: andy06shake
Terrible news there, I would definitely keep your drive on the shelf though. As someone else mentioned, you never know what decrypt tools will become available in the future. So the best wishes on that.
On another note, just in case some people are interested, I have to recommend that you NEVER use a windows machine for i2p or even tor if you plan on using i2p or .onion sites. tor is fine if you are just using clearweb sites though, no problem there. At the least you should be using Tails on a live usb, which saves the hassle of using a specifically made VM. The fact that Tails uses amnesia (information is saved to ram, which is wiped at the end of a session) should more or less assure there are no viruses crossing over to the other OS.
There are other linux distros that work well also, but making a live usb is highly recommended. If you absolutely need to, you can allow persistence and admin privileges, although you really shouldn't need admin priv if you are just browsing.
Terrible news there, I would definitely keep your drive on the shelf though. As someone else mentioned, you never know what decrypt tools will become available in the future. So the best wishes on that.
On another note, just in case some people are interested, I have to recommend that you NEVER use a windows machine for i2p or even tor if you plan on using i2p or .onion sites. tor is fine if you are just using clearweb sites though, no problem there. At the least you should be using Tails on a live usb, which saves the hassle of using a specifically made VM. The fact that Tails uses amnesia (information is saved to ram, which is wiped at the end of a session) should more or less assure there are no viruses crossing over to the other OS.
There are other linux distros that work well also, but making a live usb is highly recommended. If you absolutely need to, you can allow persistence and admin privileges, although you really shouldn't need admin priv if you are just browsing.
originally posted by: TKDRL
Try r studio recovery. It saved my ass before, it was able to recover almost every file lost on a 500 gig external that crapped out on me, after I had reformatted it so it could be read at all. Don't ask me how it could do that, but it did. Scanning and recovery took forever though, a few days. Was worth getting back all my art though.
That is one of the little secrets in IT... Formatting the drive can allow a recovery sooner because you are not A.) Using a destroyed File Allocation Table. B.) Formatting does not necessarily 'delete' anything... It may remove first character recognition from file names in allocation tables (like FAT/NTFS), replacing it with machine language coded to overlook and overwrite.
And r studio is a good tool.
I'll throw in a tip I employ from time to time.
If you find yourself with a dead drive, and the data must be recovered... Don't send it to an expensive data recovery place... Sometimes drives do not fail on the 'media' stored level, but, on the circuit board level. Find another drive of the same drive type and version number (very important) and swap the circuit logic board. It can get a drive back from the dead and save a boat-load of money from data recovery fees.
new topics
-
I hate dreaming
Rant: 38 minutes ago -
Is the origin for the Eye of Horus the pineal gland?
Philosophy and Metaphysics: 2 hours ago -
Man sets himself on fire outside Donald Trump trial
Mainstream News: 2 hours ago -
Biden says little kids flip him the bird all the time.
2024 Elections: 2 hours ago -
The Democrats Take Control the House - Look what happened while you were sleeping
US Political Madness: 3 hours ago -
Sheetz facing racial discrimination lawsuit for considering criminal history in hiring
Social Issues and Civil Unrest: 3 hours ago -
In an Historic First, In N Out Burger Permanently Closes a Location
Mainstream News: 5 hours ago -
MH370 Again....
Disaster Conspiracies: 5 hours ago -
Are you ready for the return of Jesus Christ? Have you been cleansed by His blood?
Religion, Faith, And Theology: 8 hours ago -
Chronological time line of open source information
History: 9 hours ago
top topics
-
In an Historic First, In N Out Burger Permanently Closes a Location
Mainstream News: 5 hours ago, 14 flags -
The Democrats Take Control the House - Look what happened while you were sleeping
US Political Madness: 3 hours ago, 10 flags -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events: 15 hours ago, 8 flags -
A man of the people
Medical Issues & Conspiracies: 10 hours ago, 8 flags -
Man sets himself on fire outside Donald Trump trial
Mainstream News: 2 hours ago, 7 flags -
Biden says little kids flip him the bird all the time.
2024 Elections: 2 hours ago, 6 flags -
4 plans of US elites to defeat Russia
New World Order: 12 hours ago, 4 flags -
Is the origin for the Eye of Horus the pineal gland?
Philosophy and Metaphysics: 2 hours ago, 4 flags -
Are you ready for the return of Jesus Christ? Have you been cleansed by His blood?
Religion, Faith, And Theology: 8 hours ago, 3 flags -
Sheetz facing racial discrimination lawsuit for considering criminal history in hiring
Social Issues and Civil Unrest: 3 hours ago, 3 flags
active topics
-
Post A Funny (T&C Friendly) Pic Part IV: The LOL awakens!
General Chit Chat • 7127 • : underpass61 -
12 jurors selected in Trump criminal trial
US Political Madness • 95 • : ImagoDei -
The Democrats Take Control the House - Look what happened while you were sleeping
US Political Madness • 24 • : Disgusted123 -
Man sets himself on fire outside Donald Trump trial
Mainstream News • 26 • : OnlyYouKnow2 -
Putin Compares Himself to Jesus Promoting Traditional Values Against the Satanic West
Mainstream News • 74 • : DumbNut -
Biden says little kids flip him the bird all the time.
2024 Elections • 11 • : Disgusted123 -
I hate dreaming
Rant • 2 • : FlyersFan -
America's Infant Mortality Rate Increases for the First Time in 20 Years
Medical Issues & Conspiracies • 22 • : BasicResearchMethods -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events • 28 • : Xtrozero -
Is the origin for the Eye of Horus the pineal gland?
Philosophy and Metaphysics • 4 • : JoelSnape