Jump to content

Can I recover these files from CryptoWall 4.0?


Recommended Posts

One of my old computers (running WinXP Pro!) was infected with CryptoWall 4.0.

I now have a newer computer on which I'm running Win10 Pro.  So I don't care about the old computer, except that I want to try to recover my lost data.

So I removed CryptoWall from the old computer with Malwarebytes.  Just to be sure I was being as thorough as possible, I then ran a scan with Hitman Pro, but it didn't find anything but cookies.

I have been told that I may be able to recover at least some of my deleted plaintext (unencrypted) data files with ShadowExplorer.

ShadowExplorer attempts to recover data from VSS.  But a restore point had not been set on that machine since before the most valuable data on it was generated, so I don't see how ShadowExplorer is gonna be any help.  But by all means, correct me if I'm wrong on that.

As I understand it, Cryptowall secure-deletes plaintext files from "regular" storage (as opposed to VSS), and that it may or may not also secure-delete (plaintext) files in VSS. Is that an accurate statement?

Is there any possibility that Cryptowall may simply delete plaintext files in regular storage in the conventional way, rather than secure-delete them? Because if so, these files could then be undeleted with a "regular" file recovery program (as opposed to ShadowExplorer).

(Incidentally, no files on this computer have been overwritten, since I stopped using it immediately upon it getting infected. Except, of course, to run Malwarebytes and Hitman Pro.)

I'm pretty sure I'm out of luck on this, but I have to ask.

And aside from all of the above, is there any other help?  Like, have the police recovered any decryption keys for CryptoWall 4.0?

Link to post
Share on other sites

Hi.

Have you looked at your Documents folder.   What do the file name *extensions* look like ?

Please *look closely at the file names and also the file extensions of any documents that have been corrupted.*
BUT first you need to insure that Windows is set so that it does display EXTENSIONS of filenames;  and that it shows hidden file or folders.
Do not let the windows' prompts spook you off.  It is all good.
At this point, set your Windows Explorer ( windows File Manager) to show all files, by doing as described for your version of Windows at this page
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/


The corrupted /encrypted documents & files can't cured or resurrected.   (except from offline backups)

I always regret to see anyone be a victim to these types of malicious destructive infections.  The news is never good.
This infection is not a normal type of infection. It is very vicious and has done all the damage already before it even gives you the first clue.
By the time you see the first warning, it is all done & has damaged your personal documents.
If your computer is on a network, physically disconnect it from the network.
There is nothing we can do to restore the files you did not backup.

Have you lost access to any other documents? Unfortunately, there's little that can be done to restore those in most cases, but sometimes you can use the "Previous Versions" tab on a file's properties to regain access to the encrypted file. Using a tool called Shadow Explorer can also help, but in many cases, neither of these will work.

Malwarebytes detects  variants of this infection. However, no security application can detect and remove all threats, it's a statistical impossibility. And our software cannot repair the damaged documents.

This infection relies mostly on user execution via opening an attachment from an unknown email source.

For most variants, there's no known tool to fix any corrupted documents at this time.  You can & should copy all the affected documents to a external storage drive for the future; in the hopes that perhaps some day, a way to decrypt the files would be available.
We have no decryptors.


If this computer is connected to a home network, disconnect it from that.  Be aware this ransomware will have disabled the Windows System Restore service and also the Volume Shadow Copy service, as well.
The safest thing in the long term is one of these actions:
A system image restore from a clean recent system image backup.
Otherwise, a wipe / erase and rebuild of Windows and reinstalling all programs.
Backup is your best friend.

Link to post
Share on other sites

Let me back up a bit to make sure that I am making myself understood properly.

When a file is encrypted, what actually happens is this:

A COPY of the file is made that is encrypted.  But at least at that moment, the original, unencrypted file still exists.

The original, unencrypted file is called the "plaintext" file.  The new, encrypted copy of the file is called the "cyphertext" file.

Ransomware, such as Cryptowall, then deletes the original plaintext file.

I understand that the cyphertext files can't be decrypted without the appropriate decryption key.

But my LAST question pertained to that: Does anyone at this forum knew if any Cryptowall decryption keys had been recovered by the police upon the arrest of the culprits, as has already occurred for attacks by OTHER types of ransomware?

But assuming that no such decryption keys have been recovered by the police, is it possible to undelete the original plaintext file (not the new cyphertext file)?  That depends on how the plaintext file was deleted.

If it was merely deleted in the conventional way, the way that is built into Windows, then only the first byte of the file header is erased, leaving the rest of the file intact.  So conventional data recovery programs can be used to replace the first byte of the file header, thereby undeleting the file.

But if the file was "secure-deleted", then the entire file was overwritten with zeroes many times, so that no magnetic trace whatsoever of the file remains on disk.  Such a file has simply ceased to exist, so it would be impossible to undelete it.

What I was asking was: Is it possible that Cryptowall merely deleted my plaintext files by using the conventional means built into Windows, OR, in the opinion of those familiar with Cryptowall, were the plaintext files definitely secure-deleted?

BUT, if the plaintext files in regular storage have been secure-deleted, then I don't think I can recover my data, because I would have no additional copies of the plaintext files in Virtual Shadow Storage, because a restore point had not been created after the data in question came into existence.

Comments?

Link to post
Share on other sites

The methods used by the makers of crypto ransomwares continue to change & evolve at a fast pace. Some of the latest physically change the filenames.
See http://www.bleepingcomputer.com/news/security/cryptxxx-ransomware-is-now-scrambling-the-filenames-of-encrypted-files/

Read all about Cryptowall 4
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#cryptowall4

Regarding Windows XP: I am sure you are aware, Microsoft has ceased making any new security patches for that operating system.  You ought to consider migrating to a more secure o.s.
See the Microsoft Technet blog
http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx
 
IF you must stay on Windows XP, then be sure to read and apply the suggestions by Susan Bradley
Securing XP PCs after Microsoft has dropped support
http://windowssecrets.com/top-story/securing-xp-pcs-after-microsoft-drops-support/

See also Ed Bott's comments
http://www.zdnet.com/please-let-windows-xp-die-with-dignity-7000020923/

Five good reasons to leave Windows XP behind
https://isc.sans.edu/diary/SIR+v15%3A+Five+good+reasons+to+leave+Windows+XP+behind/16922
 

Link to post
Share on other sites

As I had said, this infection occurred on one of my OLD computers, which I haven't used since except to run Malwarebytes and Hitman Pro on it to remove the infection and to verify it was removed, and I am now using Windows 10 Pro on my new computer, and I'm done with the old computer, except that I want to try to recover my lost data..

Link to post
Share on other sites

  • 3 weeks later...

If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.

Method 1: Backups

The first and best method is to restore your data from a recent backup. If you have been performing backups, then you should use your backups to restore your data.

Method 2: File Recovery Software

When CryptoWall encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.

Method 3: Shadow Volume Copies

As a last resort, you can try to restore your files via Shadow Volume Copies. Unfortunately, this infection will attempt to delete any Shadow Volume Copies on your computer, but sometimes it fails to do so and you can use them to restore your files. For more information on how to restore your files via Shadow Volume Copies, please see the link below:

How to restore files encrypted by CryptoWall using Shadow Volume Copies

Method 4: Restore DropBox Folders

If you had your dropbox account mapped as a drive letter then it is possible that its contents were encrypted by CryptoWall. If this is the case you can use the link below to learn how to restore your files.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.