Author Topic: CryptoWall Virus  (Read 34386 times)

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: CryptoWall Virus
« Reply #30 on: May 20, 2015, 07:10:15 PM »

Offline [TD]Medivh

  • Grunt
  • ***
  • Posts: 126
    • View Profile
Re: CryptoWall Virus
« Reply #31 on: May 21, 2015, 10:25:22 AM »
Hey Ciosed , i tried all ways to get back the encrypted files , seems like its impossible, i an " R-studio "in the miniwindows when booted with the program u told me to download.
Unluckly there are no deleted files that can be recovered , also checked for old windowes images from there , or backup's.

At the end of all this , he told me he is interested in only 2 folders , like 480 kb that he would like to get back , (infected ofc)
I dont know but i could send it to you through email if u want , mayube you can examine it and tell me if theres any possibility.
if you're ok with that give me ur email , i will .zip it and instantly send.

Offline [TD]Medivh

  • Grunt
  • ***
  • Posts: 126
    • View Profile
Re: CryptoWall Virus
« Reply #32 on: May 21, 2015, 10:26:16 AM »
He doesn't really care about any other folder or file in this infected computer , so i'd just format it after recovering the two interested folders.

Offline EviL~Ryu

  • (ง︡'-'︠)ง "Bitchin!" ®©℗™
  • Dragon
  • **********
  • Posts: 6059
  • "It's going to be Legen-(wait for it......)-DARY!"
    • View Profile
    • Clan EviL Official Page
Re: CryptoWall Virus
« Reply #33 on: May 21, 2015, 10:28:01 AM »

yeah i just gave him some tips and some tools to use.
i goggled around and read that basically his only options are :

- recovering the files using file recovery tools
(since what cryptowall does is, make a copy of the files with encryption then deleting the original files),
Spoiler
the factor here is wether cryptowall did a secure delete or a standard delete, i read that cryptowall 2.0 and below use standard delete, its unknown wether 3.0 does secure delete or standard, but even if its secure delete they are still recoverable but require more thorough method, it is more time consuming, and the filenames would be lost.. you would be recovering files based on extensions, but recoverable :P)
told me its a 1tb hard drive, he told me he downloaded 2 spyware apps onto hard drive which may have decreased his chance of recovering but has  900megs free so its chances of recovering are high in my opinion.


 - or recovering from system restore points


he told me system restore points were apparently deleted.
told him , that cryptowall may have only deleted the registry entries for the system restore points but the actual system restore points may  still be there. (may be those are still there on the system volume info folder)..
and if they are thats the the best and easier way to go on recover the files.(using shadow explorer)

but he didnt have access to the infected computer at the moment.


so, getting access to system volume info folder is about giving permisions, if u get stuck pm me when ur at the computer ill teamview and enable its readability, no prob.

And the plague begins [emoji15]


Sent from my Motorola DynaTAC 8000X using Tapatalk

-Administrator of Clan EviL
-Developer (Trivia Development and Analytics)

Offline SmurfKinG

  • Sappers
  • ******
  • Posts: 991
    • View Profile
Re: CryptoWall Virus
« Reply #34 on: May 21, 2015, 12:04:02 PM »
cuz that virus probably secure-deleted the files.
theres 2 types of file recovery...

the fast one

and the more thorough one.


whatever recovery software your using u need to look for the most advanced type, all apps have it differently

for instance, in recuva u have to go to actions and checkbox everything,
scan for nondeleted files (for recovery from damaged disks)
a deep scan etc..

or , try ontrack easy recovery, and do a recovery from formated media.
heres link for it http://katproxy.com/ontrack-easy-recovery-10-professional-hajrullah-t7899081.html

note that these scans take roughly 1-3 hours each or maybe more.


also, did check the system volume information folder? and see how many big files it has?
if it has more than 2 big files, its most likely the restore points werent deleted and were just deleted from showing in the application.

Offline SmurfKinG

  • Sappers
  • ******
  • Posts: 991
    • View Profile
Re: CryptoWall Virus
« Reply #35 on: May 21, 2015, 12:06:06 PM »
remember, not to look just in one folder. need a thorough search on all hard drive.
and the results wont show by location, or name, that information is lost.
all you will see in the scan results of a thorough check are files named like


?1908129083.dwg
1283190283.dwg
etc.. etc..

Offline USA~Archer

  • Grunt
  • ***
  • Posts: 158
  • Don't shoot the sheep!
    • View Profile
CryptoWall Virus
« Reply #36 on: May 26, 2015, 12:42:58 AM »
Yeah, my girlfriends laptop got crypto 2 last october, ive researched it extensively, youre pretty screwed as you probably know by now. This is a great warning to everyone to have a solid backup solution in place.

As has already been said, theres no "fix" its all encrypted and youre files are toast.

Interesting suggestion to try to do some forensic file recovery tho, i will look into that, its an interesting possibility, but the virus is so sophisticated, im sure the authors would not have left a work around like that.

One thing i would like to add to this thread tho, i am keeping all the encrypted files, stored on an extra hard drive, in the hope that someday law enforcement or another hacker group seizes the server that these hackers are operating from and releases the keys. The keys to open these files are out there, its just a matter of time before someone catches these guys and releases them (hopefully) and then you can unlock your files





Sent from my iPhone using Tapatalk
« Last Edit: May 26, 2015, 12:54:44 AM by USA~Archer »

Offline Teron-Gorefiend

  • Grunt
  • ***
  • Posts: 203
  • Greetings.
    • View Profile
Re: CryptoWall Virus
« Reply #37 on: May 26, 2015, 12:45:47 AM »
Now does that not make EQ stupid as I told MEdivh from second ONE that he either had to pay or forget his data...
This is the reason I ended it all.

The newb, the mad and the retired.

Offline tora is a simp bitch for billionaires

  • Death Knight
  • *********
  • Posts: 3722
    • View Profile
Re: CryptoWall Virus
« Reply #38 on: May 26, 2015, 10:32:17 AM »
why would he pay hundreds of dollars to get back a 500kb folder you retarded crippled faggot shut tbe fuck up. not to mention this shady character has no guarantees to give you anything back if he does get paid. stop tellng himhe has to pay retard, u must be the faggot that infected him.

Offline I hate naggers

  • Ogre Mage
  • ********
  • Posts: 2345
    • View Profile
Re: CryptoWall Virus
« Reply #39 on: May 26, 2015, 12:54:59 PM »
looks like medivh was pwned by viruz!

Offline EviL~Ryu

  • (ง︡'-'︠)ง "Bitchin!" ®©℗™
  • Dragon
  • **********
  • Posts: 6059
  • "It's going to be Legen-(wait for it......)-DARY!"
    • View Profile
    • Clan EviL Official Page
Re: CryptoWall Virus
« Reply #40 on: May 26, 2015, 09:24:44 PM »

looks like medivh was pwned by viruz!

Lmao


Sent from my Motorola DynaTAC 8000X using Tapatalk

-Administrator of Clan EviL
-Developer (Trivia Development and Analytics)