Jump to content

Cryptowall 3.0 infection, paying the ransom


Recommended Posts

I have a computer infected with Cryptowall 3.0. I have stopped the infection and now I had two disk drives.  One drive I was able to recover a few files with the shadow copy service. However, the infection started on 7/3/15 and I didn't see the problem till 7/6/15.  There is no shadow copy recovery for 7/3/15 left now.  The other disk drive appears to have had no shadow recovery however, it had little to no disk activity because it was a backup disk.

 

I have no other backups.

 

The question is does anyone know anyone that paid the ransom.  Did they actually get the key and the recovery program?

Link to post
Share on other sites

From the tutorial:

Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.

MrC

Link to post
Share on other sites

Yeh, but I've read other pages that say don't pay, you will get nothing.  It has been about 50:50 so I was sort of trying to find someone that had "personal experience".  I did find one cisco post by an expert that said he has done it 3 times and all 3 times got the program. However, was sort of looking for some other real world experience.

Link to post
Share on other sites

Yeh, but I've read other pages that say don't pay, you will get nothing.  It has been about 50:50 so I was sort of trying to find someone that had "personal experience".  I did find one cisco post by an expert that said he has done it 3 times and all 3 times got the program. However, was sort of looking for some other real world experience.

I've read were it has worked but I can't find the topic now.

If it didn't work, that would defeat their purpose of "how they make money"...right??

If word got around that the process didn't work...then no one would pay.

It's up to you.

There's a support topic here...about 85 pages long:

http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/

MrC

Link to post
Share on other sites

Sorry to intrude Mr. C....

Just to add to what Mr. C is providing...

Not saying it will work but you can also try this site.... https://noransom.kaspersky.com/

 

I've had diarrhea all day from this from the stress and I've handled complex disk crashes before and I would characterize this as Much, Much worse...so there is nothing you could do that would be intrusive right now as I'm soaking up any information that I can.  However, the long and short of it from my understanding is I don't have much I can do but pay the ransom if its a "real" solution.    I will try your link though.

Link to post
Share on other sites

Sorry to intrude Mr. C....

Just to add to what Mr. C is providing...

Not saying it will work but you can also try this site.... https://noransom.kaspersky.com/

Ok, that is for "coinvault". I got infected with CryptoWall 3.0.

I already visited the website and verified they have the real encryption private key on their end with a real file that they deencrypted.  I really have no idea WTF Microsoft allows you to "encrypt" files in the first place (EFS).  This is not really a functionality that average Joe has no need of whatsoever and is an invitation for the problem for a feature I know that I NEVER NEEDED!

 

What happened to your files ?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.

More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,

it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

 

Link to post
Share on other sites

Yes, I still have those pages.  I'll ask there.  I'm just not clear as to how it creates the "public key"   Does it store this public key in the registry, if so it is likely gone.  Then I read something else that seemed to suggest that the public key is made up based on the computer name, disk volume name and some other characters that it sticks together.  So that would mean you would have to run the decrypter on this same machine. I was going to create a new machine just to handle ONLY the decrypted files. Then move those files to a CD ROM which I would forever keep in a safe deposit back with a copy and then do a complete repair install on top of the existing machine, deleting everything but the programs and the windows folder.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.