After a brief hiatus malware developers release CryptoWall 3.0

Hi Grinler. I just attached the encrpted file.

Thanks

 

All my files was infected by this ransom or cryptowall virus. There's was a note and every folder infected. Please see below message of the noted in text file.
 
-----------------
All your important files were crypted with two strong algoritms - RSA and AES
All files that have been cryped have name, starting with error_
We can sell you the program that will restore all your files.
If you want buy this program, you need send us your Unique Identificator on ert888@ruggedinbox.com
After that we will send you instructions of payment
Also you can attach one small file (less than 300 Kilobytes) and we will restore it.

If we didnt answer you during 1-2 days, it means that we didnt get your letter. So,
make your own e-mail account on www.ruggedinbox.com and send your letter again.

This is not CryptoWall. Looks like something else. Can you send us a copy of this ransom note and one of the encrypted files so we can take a look to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Do you know if you opened anything right before the files were encrypted? If so, do you still have that file?

 

Hi Grinler,

I Just sent the file.

when i mapped the network drive all the files were modified in same timestamp including the sub folders. when i try to open the files it show all the ascii char.. which is in encrypted format

Thanks,

waiting for ur feedback

I Just sent the file.
when i mapped the network drive all the files were modified in same timestamp including the sub folders. when i try to open the files it show all the ascii char.. which is in encrypted format
 
Thanks,
 
waiting for ur feedback

 

I Just sent the file.
when i mapped the network drive all the files were modified in same timestamp including the sub folders. when i try to open the files it show all the ascii char.. which is in encrypted format
 
Thanks,
 
waiting for ur feedback

I didn't receive the files. Did you submit it http://www.bleepingcomputer.com/submit-malware.php?channel=3 ?

Also, make sure you send BOTH the ransom note file and an encrypted file.

Thanks

 

I just send again

Hi, I was too careless when letting the maladvertisements run for some days before they distributed this damn virus   So, I'm going to pay the ransom. But I have some questions, hope you could advise me:

1. I realized my data were being encrypted, so I turned the PC off before the virus would finish. So anyone knows what's the procedure when I get the decrypter tool? i.e. Should I turn the PC on and let the virus finish, and I could run the tool right in the infected OS? Or can I just run the tool in Safe Mode? Or even better, could I just plug the infected HDD into another PC, and run the tool on that non-infected OS?

2. And finally, what's the best way to remove the virus?

Thanks.

Edited by loveleeyoungae, 25 January 2015 - 07:40 PM.

Is CryptoPrevent the only game in town to deal with this? Is Hitman Pro Altert or Malwarebytes Anti-Exploit Premium effective at preventing Cryptowall?

Going over yet another infected machine, seems like I pulled the binary launching CryptoWall 3.0.  Probably already been found, but still looking at it to confirm.  Pretty sure it is based on initial analysis, but reading the ransom notes should confirm it when I get that far.  It drops the HELP_DECRYPT.PNG ransom note unique to 3.0, refers to numerous different TOR gateways that previous versions could be observed referring to within ransom notes, and follows the same process tree and activities (bcdedit calls, deleting svcs) that we've seen in the past.

Edited by White Hat Mike, 31 January 2015 - 06:06 PM.

Confirmed it's a CryptoWall 3.0 binary.

My client's data files are all backed up via Carbonite.  Why are there no instructions here on how to remove the virus/worm itself?  I started a scan with both Malwarebytes and Superantispyware when I was last at my client's PC to try to remove it.  Will either of those work?  How about Hitman Pro?  Please advise.  My client can't be the only user who has a good backup and wants to remove the threat before restoring his data.

Thank you Lawrence.

Has anyone found a solution to decrypting the files after cleaning the cpu other than Oh MY!

CryptoWall typically does not leave any files behind. It encrypts and removes itself.

Typically, yes.  I guess I may have gotten lucky, then.  The PE file I pulled, when I analyze it, I can literally watch it carry out all of the CryptoWall 3.0 activities including the encryption of files and generation of ransom notes.

Typically, yes.  I guess I may have gotten lucky, then.  The PE file I pulled, when I analyze it, I can literally watch it carry out all of the CryptoWall 3.0 activities including the encryption of files and generation of ransom notes.

 

Typically, yes.  I guess I may have gotten lucky, then.  The PE file I pulled, when I analyze it, I can literally watch it carry out all of the CryptoWall 3.0 activities including the encryption of files and generation of ransom notes.

But it wasn't listed as a startup correct? It was just a file sitting on your drive doing nothing?

 

This file was retrieved from an infected HD that I imaged and reviewed for a client...  the odd thing about it is that it was located directly in the C:\ folder, and that it wasn't deleted after it launched like it should have been...  this device was confirmed to be infected with CryptoWall 3.0, so its very possible this file was involved in the infection.

Let me load up the image of the affected device and double-check the file paths and registry entries to make sure the auto-start keys are gone and the Startup entry is removed...  will post again after I check.