I found The CURE of CryptoWall 3.0 ( NEED EXPERT ASAP )

Discussion in 'Malware Analysis Archive' started by unfogiven19, Apr 1, 2015.

  1. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    Hi malwaretips... maybe we'll change the world together ... because I was able to RECOVER a file which was Crypted by CRYPTOWALL 3.0 ..

    how I did that ?

    - I use a software called ( Fairdell HexCmp2 )

    I selected two files ( one Is encrypted and the other was decrypted )

    I copied all the volume ( the RSA CODE or I don't know what to call it ) from the Enrypted one to the Decrypted one

    and I save it !! After that it Worked !!!

    I don't know maybe this idea is useful .. I'll try other things with other files ..

    I'll contact you in this threat soon !! Please see file attached !

    it's 2:21 am , I'm going to sleep , See you tomorrow
     

    Attached Files:

    • ASAP.png
      ASAP.png
      File size:
      242.5 KB
      Views:
      463
    done, juliano82, Thamaghot and 7 others like this.
  2. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    #2 unfogiven19, Apr 2, 2015
    Last edited by a moderator: Apr 2, 2015
    I need some help from Experts to write an software .. or a tools , or something !!

    The trick is easy , find a File that still work and didn't get infected ... with the same file infected ... and you can compare to find the key
     
    yongsua likes this.
  3. MalwareT

    MalwareT Guest

    Good tutorial :) This shall be sticky.
     
  4. LabZero

    LabZero Guest

    #4 LabZero, Apr 2, 2015
    Last edited by a moderator: Apr 2, 2015
    Maybe this is not the cure.
    Without key is impossible decrypt the files.

    It is necessary also to verify if your method works with other Cryptowall variants or other Ransomware;)
     
    done likes this.
  5. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,805
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    This sounds interesting, be keen to see if it works with your other files. :)
     
    LabZero likes this.
  6. Dani Santos

    Dani Santos From Xvirus
    Developer

    Jun 3, 2014
    1,031
    5,753
    Portugal
    Windows 10
    Xvirus
    What do you want the program to do?
     
  7. kram7750

    kram7750 New Member

    Apr 12, 2014
    995
    3,613
    He wants the program to decrypt a Cryptowall encrypted file, meaning breaking the RSA encryption/getting the private RSA key to decrypt the encrypted file.
     
  8. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    #8 unfogiven19, Apr 2, 2015
    Last edited: Apr 4, 2015
    am doing all my best for my dead mother ... I need her pictures ... It all what I used to have in this world ..
     
    JoeBlack40, Koroke San and yongsua like this.
  9. kram7750

    kram7750 New Member

    Apr 12, 2014
    995
    3,613
    If I knew how to break the RSA encryption to make a tool to decrypt Cryptowall encrypted documents, I would do it. But I sadly don't. Currently there is no known way to "crack" it.

    The tools out there (which by the looks of the thread on the MRA where you were being assisted to clean up the infection) which try to decrypt the documents have a database of known RSA keys which can be used to attempt to decrypt the documents. However, the chances of that working are small as each different Ransomware sample may be different and hence produce a different RSA private key.

    If you had've been monitoring the network at the time of infection you may have been able to get the key to unlock the files since they would have been sent to the server.

    I suggest you keep hold of the Cryptowall encrypted documents and store them very safely. Maybe in the future it will one day be possible. For now, there is no known way to just crack RSA.

    I never recommend paying the ransom as all it does is encourage the malware writers to continue making malware knowing they may make more profit out of it. But you can never trust a malware developer. There is neither no guarantee they will actually let you decrypt your files after payment (even if they do have a "trial" like some samples do to let you decrypt one file to test the decryption). For all you know you could end up paying the ransom and get nothing in return.

    Cheers. ;)
     
    done likes this.
  10. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    I know ... but this time , it's an exception .. for me . I don't care about the computer , I care only about my mother pictures ... because I can never see her again
     
    done, Iainh and yongsua like this.
  11. Tony Cole

    Tony Cole Level 27

    May 11, 2014
    1,619
    3,430
    Emergency medicine ST3
    UK
    Windows 10
    Kaspersky
    Contact Kaspersky they could help. I use RSA 2048 to encrypt files, I thought, without the private key you don't stand a chance, that's why these criminal gangs are making so much money.
     
    done likes this.
  12. kram7750

    kram7750 New Member

    Apr 12, 2014
    995
    3,613
    I'm going to PM you something which may help you...
     
    done likes this.
  13. Dani Santos

    Dani Santos From Xvirus
    Developer

    Jun 3, 2014
    1,031
    5,753
    Portugal
    Windows 10
    Xvirus
  14. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    done likes this.
  15. Dani Santos

    Dani Santos From Xvirus
    Developer

    Jun 3, 2014
    1,031
    5,753
    Portugal
    Windows 10
    Xvirus
    Do you have a enrypted and not encrypted file from the infected machine? You can try saket suggestion
     
    done likes this.
  16. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    YES ! I've have ! yet , I don't know what should I do , am not a professional using those software ,
    I'll pm you with the FILE
     
    done likes this.
  17. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    I tried this software , but look what I get ? look to the weird extensions of my file
     

    Attached Files:

  18. Dani Santos

    Dani Santos From Xvirus
    Developer

    Jun 3, 2014
    1,031
    5,753
    Portugal
    Windows 10
    Xvirus
    Do you have any restore point ? maybe that helps?
     
    done likes this.
  19. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    unfortenatly I don't .... they were deleted by the VIRUS !

    somebody check the following Screenshot
     

    Attached Files:

  20. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    hi I recoverd this file from C:// called System Volume Information ( it 12mb )
    can I move it to THE ACTUAL c:// and try my luck ?
     
    done likes this.
Loading...
Similar Threads Forum Date
Q&A Secure Antivirus 360 - Found on Cnet Other Security for Windows Sep 30, 2016
Android Malware Developed in Kotlin Programming Language Found in Google Play Security News Jan 10, 2018
Major Intel CPU Hardware Vulnerability Found, Could Cost 35% Performance Security News Jan 2, 2018