Net54baseball.com Forums - Nasty ransom virus called Cryptowall 3.0 infected all my files

Net54baseball.com Forums (http://www.net54baseball.com/index.php)

- Net54baseball Vintage (WWII & Older) Baseball Cards & New Member Introductions (http://www.net54baseball.com/forumdisplay.php?f=2)

- - Nasty ransom virus called Cryptowall 3.0 infected all my files (http://www.net54baseball.com/showthread.php?t=204207)

Nasty ransom virus called Cryptowall 3.0 infected all my files

My computer recently got hit with a horrible ransomware virus called Cryptowall 3.0 that locked every image, document, pdf, etc. file.

The virus infects every drive connected to your computer, so if your backup drive or USB drive is connected - like mine were - they also get locked. The virus creates impossible to open encrypted copies of every file on your computer and deletes all your original files. The only way you can open your now encrypted files is to pay the $500 ransom in Bitcoins, which increases to a $1000 ransom after 7 days. Once they verify your Bitcoin payment a "key" is sent to you which will unlock your files.

I haven't paid the ransom yet because I'm still researching this virus, and because I've never used Bitcoins before. I have a lot of scans of vintage cards, memorabilia, and family photos on my computer that have taken many years to accumulate, so losing them would be a huge personal loss.

But I just wanted to warn anybody who thinks their files are safe because you have a backup - that they are not necessarily safe. I learned the hard way that once you back up your files you must UNPLUG your backup drive and USB drives from your computer, otherwise the virus can infect them too.

Paul,
Thanks fir the Heads uP... I am Really Sorry to hear of Your Troubles, Sounds like We are all at Risk!
I do hope fir a quick resolve fir Your/Our situation. A lot of us MiGHT Be RiGHT behind You...

Do You Recall Any Details from Your Inception of the Virus?

Denny,
There is some good information about Crypotowall 3.0 on the site BleepingComputer.com. I think my computer got infected by clicking on a fake program "update" which kept popping up on my desktop. It is also spread by opening an infected email. Messages are inserted into every folder instructing how to pay the ransom. Once you see those messages start to pop up, some people have unplugged their computer which stops the virus from encrypting more files. When I saw the messages keep popping up in each folder I didn't think to pull the plug. I went to Best Buy and asked the Geek Squad but they said the files are gone unless the ransom is paid. I bought the recommended anti-malware program called Malwarebytes and ran it several times to remove the virus, but that doesn't get the files back.
Paul

Most computers have a restore feature so you can restore to a time in the past. I have done it and it has worked but I have not encountered this virus either. (knock on wood)

Apparently www.decryptolocker.com will decrypt a sample file and send you a code to decrypt the remainder of the files. I have not tried this before.

Z Wheat

Paul, I have read and heard from a few different sources that it is possible to use a product such as R-Studio to recover at least some of the original files.

Here's an excerpt from a weekly podcast that I listen to, Security Now:

Quote:

LEO: Energized. And, after all, since you picked them, I presume you know the answers to them. Starting with Question #1 from Joe Pracht, and that's how he says you pronounce it, in North and South Carolina. That's a little bit of a mystery, but we'll just leave that to you, Joe. He writes, and this is a long one, he's recovered CryptoWall files without paying any ransom: Steve, I am a network and systems administrator for a large nonprofit covering North and South Carolina. Ah, you have given us the answer. We have had two XP computers infected by CryptoWall. We have a Group Policy block in place for CryptoLocker and are working to remove all XP machines from the network. However, in both cases we had the users disconnect the computers and ship them over to us. During Episode 496, Listener Feedback #207, Joe Meedy wrote you with a question about CryptoWall and made the statement, "I've read that CryptoWall makes a copy of your data file. It encrypts it, then deletes the original file." So, smart man, Joe Pracht.

STEVE: Uh-huh.

LEO: He thought about this. He said: I created a full image of the infected drive - that's always the first thing to do, just image that sucker off - and then used R-Studio to attempt the recovery of deleted files. I'm not promoting R-Studio over other products, he writes. This just happened to be one our department had a license to. The recovery brought back deleted files of all types. I contacted the user of the initially infected laptop to discuss some of the files we found. I mentioned a picture of kids at a Japanese steak house, and the user was ecstatic. Not all files were recovered, but we recovered enough to make the user very happy. Thank you and Leo for the last 10 years. I'm a longtime listener and can't wait for the new show every week. Joe Pracht. Wow, that's a great story.

STEVE: Well, yeah. I thought this was important to share because this demonstrates that, clever as these CryptoWall/CryptoLocker crypto bad guys are, they're making a fundamental mistake, and that is they're not overwriting the unencrypted files.

Thanks for the replies. I will look into R-Studio and see if it's a possibility. I have Windows XP and from what I understand, Microsoft stopped supporting XP last year so there were more vulnerabilities for viruses/malware.

For those who aren't entrenched in Windows

Sorry to hear about your situation but I'd never pay anything. You'll probably just end up being out of money. I highly doubt that they'll unlock your files and I doubt that they'd keep them unlocked for long before they pull the same BS.

If any of you are open to trying and installing a new OS I'd suggest it. After you backup your files of course. Here's a link to a easy group of Linux OSs. They're virtually VIRUS FREE. This just flat out wouldn't happen running that as opposed to Windows. Especially XP as you said is no longer supported. Depending on you memory capacity you'll have to check which would be compatible with your machine.

http://www.ubuntu.com/download

There's also numerous YouTube videos that will demonstrate how to install this onto your machines. It will replace Windows so back up your files. It's fairly simple just following directions.