Joined
Mar 30, 2015
Messages
27
#1
Hi malwaretips... maybe we'll change the world together ... because I was able to RECOVER a file which was Crypted by CRYPTOWALL 3.0 ..

how I did that ?

- I use a software called ( Fairdell HexCmp2 )

I selected two files ( one Is encrypted and the other was decrypted )

I copied all the volume ( the RSA CODE or I don't know what to call it ) from the Enrypted one to the Decrypted one

and I save it !! After that it Worked !!!

I don't know maybe this idea is useful .. I'll try other things with other files ..

I'll contact you in this threat soon !! Please see file attached !

it's 2:21 am , I'm going to sleep , See you tomorrow
 

Attachments

Joined
Mar 30, 2015
Messages
27
#2
I need some help from Experts to write an software .. or a tools , or something !!

The trick is easy , find a File that still work and didn't get infected ... with the same file infected ... and you can compare to find the key
 
Last edited by a moderator:
Likes: yongsua
L

LabZero

Guest
#4
Maybe this is not the cure.
Without key is impossible decrypt the files.

It is necessary also to verify if your method works with other Cryptowall variants or other Ransomware;)
 
Last edited by a moderator:
Likes: done

frogboy

Level 75
Verified
Joined
Jun 9, 2013
Messages
6,499
Operating System
Windows 10
Antivirus
Emsisoft
#5
This sounds interesting, be keen to see if it works with your other files. :)
 
Likes: LabZero

kram7750

New Member
Joined
Apr 12, 2014
Messages
993
#9
am doing all my best for my dead mother ... I need her pictures ... It all what I used to have in this world ..

This is my page of the virus , In case someone want to pay the ransom for me. I just don't have the money , otherwise I'd pay him every penny just for my mommy .

http://7oqnsnzwwnm6zb7y.icepaytor.com/m97wtQ
If I knew how to break the RSA encryption to make a tool to decrypt Cryptowall encrypted documents, I would do it. But I sadly don't. Currently there is no known way to "crack" it.

The tools out there (which by the looks of the thread on the MRA where you were being assisted to clean up the infection) which try to decrypt the documents have a database of known RSA keys which can be used to attempt to decrypt the documents. However, the chances of that working are small as each different Ransomware sample may be different and hence produce a different RSA private key.

If you had've been monitoring the network at the time of infection you may have been able to get the key to unlock the files since they would have been sent to the server.

I suggest you keep hold of the Cryptowall encrypted documents and store them very safely. Maybe in the future it will one day be possible. For now, there is no known way to just crack RSA.

I never recommend paying the ransom as all it does is encourage the malware writers to continue making malware knowing they may make more profit out of it. But you can never trust a malware developer. There is neither no guarantee they will actually let you decrypt your files after payment (even if they do have a "trial" like some samples do to let you decrypt one file to test the decryption). For all you know you could end up paying the ransom and get nothing in return.

Cheers. ;)
 
Likes: done
Joined
May 11, 2014
Messages
1,622
Operating System
Windows 10
Antivirus
Sophos
#11
Contact Kaspersky they could help. I use RSA 2048 to encrypt files, I thought, without the private key you don't stand a chance, that's why these criminal gangs are making so much money.
 
Likes: done

kram7750

New Member
Joined
Apr 12, 2014
Messages
993
#12
am doing all my best for my dead mother ... I need her pictures ... It all what I used to have in this world ..

This is my page of the virus , In case someone want to pay the ransom for me. I just don't have the money , otherwise I'd pay him every penny just for my mommy .

http://7oqnsnzwwnm6zb7y.icepaytor.com/m97wtQ
I'm going to PM you something which may help you...
 
Likes: done

Dani Santos

From Xvirus
Developer
Verified
Joined
Jun 3, 2014
Messages
1,057
Operating System
Windows 10
Antivirus
Xvirus
#15
Thanks man , the shadow explorer work only with Driver F:// which was not infected with the stupid virus
Do you have a enrypted and not encrypted file from the infected machine? You can try saket suggestion
 
Likes: done
Joined
Mar 30, 2015
Messages
27
#16
i think what he needs is
automation of the process

suppose there is a jpeg file that is encryped by ransomware

and another jepg from the same camera
which is not encryped

hex comparison software can then compare the extra bytes of data
and remove it to get the orignal file

some of ransomeware varients
just add 512 bytes if data at header and footer
Do you have a enrypted and not encrypted file from the infected machine? You can try saket suggestion
YES ! I've have ! yet , I don't know what should I do , am not a professional using those software ,
I'll pm you with the FILE
 
Likes: done
Joined
Mar 30, 2015
Messages
27
#20
hi I recoverd this file from C:// called System Volume Information ( it 12mb )
can I move it to THE ACTUAL c:// and try my luck ?
 
Likes: done