Thread: Nasty ransom virus called Cryptowall 3.0 infected all my files
View Single Post
  #6  
Old 04-08-2015, 01:01 PM
4815162342's Avatar
4815162342 4815162342 is offline
Daryl
Member
 
Join Date: Apr 2009
Posts: 3,657
Default
Paul, I have read and heard from a few different sources that it is possible to use a product such as R-Studio to recover at least some of the original files.

Here's an excerpt from a weekly podcast that I listen to, Security Now:

Quote:
LEO: Energized. And, after all, since you picked them, I presume you know the answers to them. Starting with Question #1 from Joe Pracht, and that's how he says you pronounce it, in North and South Carolina. That's a little bit of a mystery, but we'll just leave that to you, Joe. He writes, and this is a long one, he's recovered CryptoWall files without paying any ransom: Steve, I am a network and systems administrator for a large nonprofit covering North and South Carolina. Ah, you have given us the answer. We have had two XP computers infected by CryptoWall. We have a Group Policy block in place for CryptoLocker and are working to remove all XP machines from the network. However, in both cases we had the users disconnect the computers and ship them over to us. During Episode 496, Listener Feedback #207, Joe Meedy wrote you with a question about CryptoWall and made the statement, "I've read that CryptoWall makes a copy of your data file. It encrypts it, then deletes the original file." So, smart man, Joe Pracht.

STEVE: Uh-huh.

LEO: He thought about this. He said: I created a full image of the infected drive - that's always the first thing to do, just image that sucker off - and then used R-Studio to attempt the recovery of deleted files. I'm not promoting R-Studio over other products, he writes. This just happened to be one our department had a license to. The recovery brought back deleted files of all types. I contacted the user of the initially infected laptop to discuss some of the files we found. I mentioned a picture of kids at a Japanese steak house, and the user was ecstatic. Not all files were recovered, but we recovered enough to make the user very happy. Thank you and Leo for the last 10 years. I'm a longtime listener and can't wait for the new show every week. Joe Pracht. Wow, that's a great story.

STEVE: Well, yeah. I thought this was important to share because this demonstrates that, clever as these CryptoWall/CryptoLocker crypto bad guys are, they're making a fundamental mistake, and that is they're not overwriting the unencrypted files.
Reply With Quote