Cryptowall2.0 - Technology - Contractor Talk

Cryptowall2.0

 
Thread Tools Search this Thread Display Modes
Old 10-25-2014, 07:48 PM   #1
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Cryptowall2.0


So, I picked up a laptop that had some problems, "probably easy to fix" No big deal, the price was right, and it gives me something to tinker with inside.

I get it home, boot it up, and windows pup up everywhere saying all the personal files have been encrypted, and they can be decoded if you send $500 to some internet address.

The poor owner got it badly infected with ransomware. Antivirus boot disk found 12 trojans and a bunch of other stuff on a partial scan. Malware, adware, corrupted files,...

I'm thinking this one is going to get a Linux enema, getting all the associations straightened out isn't worth the time (although she'd probably be happy to get a copy of all her files).

People still don't know about antivirus software?
hdavis is online now  

Warning: The topics covered on this site include activities in which there exists the potential for serious injury or death. ContractorTalk.com DOES NOT guarantee the accuracy or completeness of any information contained on this site. Always use proper safety precaution and reference reliable outside sources before attempting any construction or remodeling task!

   

Advertisement

 

Old 10-25-2014, 08:22 PM   #2
Pro
 
SectorSecurity's Avatar
 
Trade: Low Voltage Wiring
Join Date: Nov 2013
Location: Ontario
Posts: 4,048
Rewards Points: 2,828

Re: Cryptowall2.0


Quote:
Originally Posted by hdavis View Post
So, I picked up a laptop that had some problems, "probably easy to fix" No big deal, the price was right, and it gives me something to tinker with inside.

I get it home, boot it up, and windows pup up everywhere saying all the personal files have been encrypted, and they can be decoded if you send $500 to some internet address.

The poor owner got it badly infected with ransomware. Antivirus boot disk found 12 trojans and a bunch of other stuff on a partial scan. Malware, adware, corrupted files,...

I'm thinking this one is going to get a Linux enema, getting all the associations straightened out isn't worth the time (although she'd probably be happy to get a copy of all her files).

People still don't know about antivirus software?
I hear this all the time, antivirus is king, I have never been infected because I have antivirus.

Antivirus only works if it has a signature to catch the infection, no signature means malicious software is free to do as it wants. So when people say they have never been infected what they really mean is they have never been infected with anything their antivirus knows about.

Sure we have heuristic scanning and other mitigating methods, but most people can't even be bothered to update their antivirus.

Advertisement

SectorSecurity is offline  
Old 10-25-2014, 09:10 PM   #3
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by SectorSecurity View Post
So when people say they have never been infected what they really mean is they have never been infected with anything their antivirus knows about.

Sure we have heuristic scanning and other mitigating methods, but most people can't even be bothered to update their antivirus.
I was infected years ago with up to date antivirus, but it turns out the particular antivirus software wouldn't detect that particular virus.

Which leads me to use one suite for real time, and others for double / triple checking. I'll find stuff with one that the others didn't catch - nothing is 100%.

Supposedly cryptowall spreads typically by clicking on an email attachment, although I suppose it could be an infected pdf somewhere on a shady website as well. Not something I'd do,
hdavis is online now  
Sponsored Links
Advertisement
 
Old 10-25-2014, 09:52 PM   #4
Capra aegagrus

 
Tinstaafl's Avatar
 
Trade: Remodeler
Join Date: Jan 2008
Location: Central Pennsylvania
Posts: 23,570
Rewards Points: 424

Re: Cryptowall2.0


Resident antivirus software is practically the same thing as a virus. Clogs up the system and interferes with all sorts of legitimate stuff. I run naked, and go literally years between infestations.

In a situation like yours, I'd just wipe the HD and start fresh.
Tinstaafl is offline  
The Following 2 Users Say Thank You to Tinstaafl For This Useful Post:
shanekw1 (10-27-2014), SmallTownGuy (10-26-2014)
Old 10-25-2014, 10:17 PM   #5
Pro
 
dan-the-man's Avatar
 
Trade: Apprentice Plumber
Join Date: Dec 2013
Location: Orlando, Florida
Posts: 103
Rewards Points: 195

Re: Cryptowall2.0


I second that, why bother trying to get the stuff off there, when a fresh start would be easier.
dan-the-man is offline  
Old 10-25-2014, 11:35 PM   #6
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by dan-the-man View Post
I second that, why bother trying to get the stuff off there, when a fresh start would be easier.
No Win disks, so a stripped down win system would be OK, with dual boot to Linux. In this case, cleaning it's easier than getting the associations fixed (I know, I've done it before. The automated programs don't seem to get everything, so a year later you can still be fixing associations manually when they crop up).

Besides, I've never seen the crypto virus before, so it was possibly an interesting diversion. I'd much rather get some practice when it doesn't really matter than get some when it really counts...
hdavis is online now  
Old 10-26-2014, 07:15 AM   #7
Pro
 
dan-the-man's Avatar
 
Trade: Apprentice Plumber
Join Date: Dec 2013
Location: Orlando, Florida
Posts: 103
Rewards Points: 195

Re: Cryptowall2.0


Quote:
Originally Posted by hdavis View Post
No Win disks, so a stripped down win system would be OK, with dual boot to Linux. In this case, cleaning it's easier than getting the associations fixed (I know, I've done it before. The automated programs don't seem to get everything, so a year later you can still be fixing associations manually when they crop up).

Besides, I've never seen the crypto virus before, so it was possibly an interesting diversion. I'd much rather get some practice when it doesn't really matter than get some when it really counts...
Aww, I see. Yeah I don't blame you try working on that one and see what happens. Yeah I have no clue about the crypto virus. I have only dealt with small stuff.
dan-the-man is offline  
Old 10-26-2014, 08:24 AM   #8
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by dan-the-man View Post
Aww, I see. Yeah I don't blame you try working on that one and see what happens. Yeah I have no clue about the crypto virus. I have only dealt with small stuff.
I still may grab some files and see if this works:

https://www.decryptcryptolocker.com/

It'd be pretty cool if it does.
hdavis is online now  
Old 10-26-2014, 08:41 AM   #9
Doer of Many Things!!!
 
gideond's Avatar
 
Trade: Paint and Floor Covering Retailer
Join Date: May 2007
Location: Staunton, VA
Posts: 837
Rewards Points: 1,135

Re: Cryptowall2.0


I can't agree with running naked. I've seen several computers in my time that have been run without AV and the user thought safe habits were good enough. Just because they didn't know they were infected didn't mean they weren't. A couple were zombie servers without ever realizing it until the machine finally slowed to a crawl and they started troubleshooting.

I run a good lightweight AV, currently Avast on most home machines and NOD32 on company computers. They catch most of what the world throws at you. I run weekly scans with Malwarebytes and SuperAntiSpyware to catch the rest. Heavily infected machines I run into get Combofix, JRT, and AdwCleaner. If those don't take care of it then it isn't worth trying to save the install. Just start over. It helps to be behind a hardware firewall, which most routers have these days, and you can step up to better software firewalls such as Comodo for HIPS protections. Of course a lot of that stuff can be done on external hardware products like Sonicwalls, to keep the load off the local machines if you care to sacrifice some cash for performance.
gideond is offline  
Old 10-26-2014, 11:42 AM   #10
John the Builder
 
SmallTownGuy's Avatar
 
Trade: Carpenter/Builder Professional Painter
Join Date: Sep 2012
Location: Oxford, MI
Posts: 16,993
Rewards Points: 6,114

Re: Cryptowall2.0


Quote:
Originally Posted by hdavis View Post
No Win disks, so a stripped down win system would be OK, with dual boot to Linux. In this case, cleaning it's easier than getting the associations fixed (I know, I've done it before. The automated programs don't seem to get everything, so a year later you can still be fixing associations manually when they crop up).

Besides, I've never seen the crypto virus before, so it was possibly an interesting diversion. I'd much rather get some practice when it doesn't really matter than get some when it really counts...
This:
http://www.bleepingcomputer.com/viru...re-information
__________________
All my Life loving Hippie friends turned into soul-sucking Conservatives - or died. Same difference.
"Mornin' ladies, my goodness don't you look happy. Must be cuttin' somebody up pretty good." - Andy Griffiths
SmallTownGuy is offline  
The Following User Says Thank You to SmallTownGuy For This Useful Post:
Rio (10-26-2014)
Old 10-26-2014, 05:50 PM   #11
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by SmallTownGuy View Post
All the methods for file / system recovery they have listed are non-starters on the new version. The suggestion to run antivirus software aren't too useful, 50+ hours to not finish scanning the Content.IE5 directory....
hdavis is online now  
Old 10-26-2014, 05:56 PM   #12
John the Builder
 
SmallTownGuy's Avatar
 
Trade: Carpenter/Builder Professional Painter
Join Date: Sep 2012
Location: Oxford, MI
Posts: 16,993
Rewards Points: 6,114

Re: Cryptowall2.0


Quote:
Originally Posted by hdavis View Post
All the methods for file / system recovery they have listed are non-starters on the new version. The suggestion to run antivirus software aren't too useful, 50+ hours to not finish scanning the Content.IE5 directory....
It doesn't take reading very far to get to this point:
Quote:
Is it possible to decrypt files encrypted by CryptoWall?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key.
All roads end there...
__________________
All my Life loving Hippie friends turned into soul-sucking Conservatives - or died. Same difference.
"Mornin' ladies, my goodness don't you look happy. Must be cuttin' somebody up pretty good." - Andy Griffiths
SmallTownGuy is offline  
Old 10-26-2014, 10:09 PM   #13
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by SmallTownGuy View Post
It doesn't take reading very far to get to this point:


All roads end there...
Except you didn't read the link I posted to a website that does exactly that - find a key for decoding. If I get that far, I'll let you know what happens.

Meanwhile, although the antivirus boot disk is somewhat impractical, I can set the process permissions to deny everything for everybody for the bad actors. Only one process shows up - apparently an anti-antivirus process. Bombing the Content.IE5 directory is still a problem. We'll see.
hdavis is online now  
Old 10-26-2014, 10:28 PM   #14
LRG WoodCrafting

 
Leo G's Avatar
 
Trade: Maker of Fine Sawdust
Join Date: May 2005
Location: Windsor Locks, Connecticut
Posts: 41,693
Rewards Points: 895

Re: Cryptowall2.0


What about Kaspersky Rescue Disk. Based on Linux and has a bootable AV you should be able to at least deactivate the virus. Then you'll only need to deal with the encryption key.
__________________
Sawdust Follows Me Everywhere
I can explain it to you, but I can't understand it for you.
Sanding is the bane of my existence
WWG1WGA

Quote:
Originally Posted by HusqyPro View Post
Carpenter by day.
Mad scientist by night.
http://lrgwood.com
Custom Cabinets in Hartford County Connecticut
Leo G is online now  
Old 10-27-2014, 12:02 AM   #15
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by Leo G View Post
What about Kaspersky Rescue Disk. Based on Linux and has a bootable AV you should be able to at least deactivate the virus. Then you'll only need to deal with the encryption key.
I'm using AVG's linux boot. The problem is the directory is stuffed with so many files it takes way too long to scan just the one dorectory. I suspect it's a feature of the virus, but maybe it was just a user who never cleared temporary internet files....

Interestingly, Trendmicro's Housecall online scanner found the 4 active trojans and one rootkit in a few minutes...
hdavis is online now  
Old 10-27-2014, 03:18 PM   #16
Pro
 
SectorSecurity's Avatar
 
Trade: Low Voltage Wiring
Join Date: Nov 2013
Location: Ontario
Posts: 4,048
Rewards Points: 2,828

Re: Cryptowall2.0


Quote:
Originally Posted by hdavis View Post
I'm using AVG's linux boot. The problem is the directory is stuffed with so many files it takes way too long to scan just the one dorectory. I suspect it's a feature of the virus, but maybe it was just a user who never cleared temporary internet files....

Interestingly, Trendmicro's Housecall online scanner found the 4 active trojans and one rootkit in a few minutes...
More likely its a problem with the encryption, once the file is encrypted its just random garbage, its likely the AV trying to figure out what its scanning that is taking so long.
SectorSecurity is offline  
The Following User Says Thank You to SectorSecurity For This Useful Post:
SmallTownGuy (10-27-2014)
Old 10-27-2014, 05:11 PM   #17
Pro
 
hdavis's Avatar
 
Trade: remodeling
Join Date: Feb 2012
Location: CoastalME
Posts: 24,676
Rewards Points: 2,042

Re: Cryptowall2.0


Quote:
Originally Posted by SectorSecurity View Post
More likely its a problem with the encryption, once the file is encrypted its just random garbage, its likely the AV trying to figure out what its scanning that is taking so long.
That's a good thought. There are other tricks that could have been implemented to foil the antivirus software as well. I'm going to look it over a little more to see if there's a surprise sitting there.

No matter what, it's getting wiped and getting Linux, I'm just playing with the rootkit / trojans, etc.

Advertisement

hdavis is online now  


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Join Now... It's Fast and FREE!

I am a professional contractor
I am a DIY Homeowner
Drywall Talk is for
PROFESSIONAL CONTRACTORS ONLY!

At DrywallTalk.com we cater exlusivly to professional contractors who make their living as a contractor. Knowing that many homeowners and DIYers are looking for a community to call home, we've created www.DIYChatroom.com DIY Chatroom is full of helpful advices and perfect for DIY homeowners.

Redirecing in 10 seconds
No Thanks
terms of service

Already Have an Account?