I found The CURE of CryptoWall 3.0 ( NEED EXPERT ASAP )

Discussion in 'Malware Analysis Archive' started by unfogiven19, Apr 1, 2015.

  1. Tony Cole

    Tony Cole Level 27

    May 11, 2014
    1,619
    3,430
    Emergency medicine ST3
    UK
    Windows 10
    Kaspersky
    I see you are using Kaspersky, how on earth did you manage to get infected with Cryptowall 3.0?
     
  2. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    I setup kespersky after the infection ... not before
     
    done likes this.
  3. unfogiven19

    unfogiven19 New Member

    Mar 30, 2015
    27
    23
    Hi , man ... I was able to decrypt 1 file who was infected with CRYPTOWALL 3.0 using HexCmp .... how to decrypt the rest of the file .. I need CryptoWall decrypter .... I NEED IT ASAP ... if the Trick work for me , it should work for everybody .



    PLEASE I'M WAITING
     
    done likes this.
  4. Thamaghot

    Thamaghot New Member

    May 13, 2015
    2
    2
    #24 Thamaghot, May 13, 2015
    Last edited: May 13, 2015
    done likes this.
  5. paull

    paull New Member

    May 17, 2015
    1
    0
    Hi fellow net users.
    I have investigated unforgivens ideea. The ideea is good, but you did the wrong thing. You just copied the info from the good one to the bad one. That's not the way. You must find the first bit of info from where it just goes wrong, and then fix it.
    1.I compared 2 samples of the same picture. The first one was encrypted and the second was decrypted.
    2. I was looking in the good picture at the binary info and then compared it to the crypted one to find similarities.
    3.I had no luck, i think the cryptowall jsut masses up the binary info in the file. It does not put the first 512 bits of info at the end. Of course there is a logic in its MO, but that remains to be discovered.
    Regarding the comparison i did, what i was trying to do looked like this:
    a)encrypted file: 01 02 AA 17 25 E8 01 FF ......78 ER 58 D8 F7...
    b)decrypted file: 78 ER 58 D8 F7.....
    c) or much simpler: its like a row of numbers that is massed up:
    one is logical (decrypted)1,2,3,4,5,6,7,8,9
    one is illogical(crypted) 5,6,7,8,9.....1,2,3,4
    BUT AGAIN you will not find something like this in the binary info of 2 files because cryptowall does not take the first 512 bits of info (fist numbers) and put it at the end.
    Please post if someone has an ideea.
     
  6. NatsuruHaveALife :D

    NatsuruHaveALife :D New Member

    May 18, 2015
    54
    112
    Programmer (Freelance) Self Employed Computer Tech
    Cirno's Math Class
    If its cryptowall, its gonna be a little bit harder. But this is a good start point. Suggest you go talk to the fellas over on Bleeping Computer. They have some coding experts over there. they helped a guy with cryptorbit i was trying to help out. Hopefully you can get everything back. I hate ransomware more than i hate Banking trojans honestly. Its the worst example of extortion there is. They should actually charge the developers of Ransom Trojans With Extortion, And The botnet offense too. There is one thing that is good that may be worth considering. Most ransomware that encrypt things won't allow themselves to be run sandboxed or virtualized. Something to think about in the future at least. Like keeping your pictures in a Virtual machine or something. or running a Linux VM to isolate malware from host windows os. You need help setting one of those up i would be happy to assist with setting up a Ubuntu .deb based / or RPM based os, whichever you want. Its the least i can do. I am not a code expert... Unfortunately. But i am good at installing Operating Systems. Have done complete installs of every OS except for gentoo or Arch. BSD and OpenBSD included.
     
    done likes this.
  7. eight24

    eight24 New Member

    Jun 28, 2015
    2
    2
    Hy guys , is it something resolved ? and what to do with
    Thamaghot files ?
     
    done likes this.
  8. Thamaghot

    Thamaghot New Member

    May 13, 2015
    2
    2
    #28 Thamaghot, Jul 31, 2015
    Last edited: Aug 15, 2015
    I'm trying running "decrypt.exe" on Windows Safe Mode.
     
    done likes this.
  9. Andrew M. Holder

    Andrew M. Holder New Member

    Aug 17, 2015
    1
    1
    Patchogue, NY
    Any Luck on this?
     
    done likes this.
  10. g3rsiu

    g3rsiu New Member

    Sep 25, 2015
    1
    1
    Romania
    Panda Ransomware Decrypt

    this tool has the option to compare a encrypted file and a original file - maybe it helps - let us know.
     
    done likes this.
  11. So Screwed

    So Screwed New Member

    Sep 25, 2015
    4
    5
    Philadelphia
    I got infected and lost all of my files, too. I had been meaning to reformat my computer because it was running poorly and sometimes programs didn't load. I procrastinated and got infected when Symantec didn't load. By the time I discovered this, I lost all my files, not just on the main computer, but 6 Gb of data stored on two attached external harddrives, including all my backups.

    I eventually decided to pay the ransom (Please, I don't need a lecture about more secure backups or why one shouldn't pay cyberthieves - the data is worth the ransom to me). The problem I now have is that the supplied file: decryptor.exe does not run on my ssytem. I do have both the public key and the private key the thieves did send me and I have securely backed this up in separate places.

    Any idea as to how to get a program that will run, use these keys, and get my data back?

    Any and all help would be much appreciated.
     
    done likes this.
  12. eight24

    eight24 New Member

    Jun 28, 2015
    2
    2
    Why doesn't work on your system? what system you have ? what OS ?
     
    done likes this.
  13. So Screwed

    So Screwed New Member

    Sep 25, 2015
    4
    5
    Philadelphia
    I am running Windows 7 Pro x64.

    My system is corrupt. I installed a fresh operating system on a new hard drive and am able to run the file. It simply replies "error" though for all encrypted files.

    I have removed my hard drives and am running a new Windows 10 install. My data is gone, but I remain hopeful that some day an answer will be found.
     
    done and frogboy like this.
  14. Vincnt

    Vincnt New Member

    Oct 7, 2015
    1
    1
    Sofia
    done likes this.
  15. So Screwed

    So Screwed New Member

    Sep 25, 2015
    4
    5
    Philadelphia
    done likes this.
  16. Amin Akhyar

    Amin Akhyar New Member

    Nov 25, 2015
    2
    2
    Jakarta
    I have the decrypter, all i need is decrypt key to restore my files... can we help each other?
     
    done likes this.
  17. Franklan815

    Franklan815 New Member

    Dec 2, 2015
    1
    1
    Spain
    Please I need to talk with you @unfogiven19 urgently.
    Please send me a PM...
     
    done likes this.
  18. So Screwed

    So Screwed New Member

    Sep 25, 2015
    4
    5
    Philadelphia
    "I have the decrypter, all i need is decrypt key to restore my files... can we help each other?"

    There is a public key and a private key. The private key is, as I understand it, computer-specific and mine would thus be of no use to you.
     
    done likes this.
  19. Amin Akhyar

    Amin Akhyar New Member

    Nov 25, 2015
    2
    2
    Jakarta
    #39 Amin Akhyar, Dec 2, 2015
    Last edited by a moderator: Dec 2, 2015
    I got the decrypter from their (virus maker) website. decrypter file info as attached.
    when i ran it, it need a key of 64 char. and i don't think that was a private key.
    the proses will be like this

    hope somebody can tell me if there is a possibility to find the key through encrypted file.
    using hexa viewer i found 2 lines of 128 chars sequence that may be we can use to generate the key.
    hopefully...
     

    Attached Files:

    done likes this.
  20. Cch123

    Cch123 Level 7

    May 6, 2014
    332
    815
    Not trying to burst anyone's hopes, but I really have to clear some misconceptions here.

    No, it is not possible to recover any files encrypted by cryptowall. You can't extract the decryption key from encrypted files.

    Steps to follow after an infection:
    1. Check if you really have a cryptowall infection. There are many other copycat malware out there, and some of them are made by script kiddies. For some infections, you can recover your files due to implementation errors by the author.
    2. Reinstall your OS and recover your files from backup.
    3. Remove the malware, then pray that you were using a non admin account when you got infected. If that is the case, you can user ShadowExplorer to find any shadow copies of you files that remain and restore you files.
    4. If nothing works, reinstall your system and write your loss off as an experience. Learn some good security habits and don't get infected again.
     
    Enju likes this.
Loading...
Similar Threads Forum Date
Q&A Secure Antivirus 360 - Found on Cnet Other Security for Windows Sep 30, 2016
Android Malware Developed in Kotlin Programming Language Found in Google Play Security News Wednesday at 11:07 AM
Major Intel CPU Hardware Vulnerability Found, Could Cost 35% Performance Security News Jan 2, 2018