Overclock.net › Forums › Industry News › Software News › [CS/DR] Ransomware on Steroids: Cryptowall 2.0
New Posts  All Forums:Forum Nav:

[CS/DR] Ransomware on Steroids: Cryptowall 2.0 - Page 9  

post #81 of 85
Quote:
Originally Posted by Lord Xeb View Post

My shop has had 2 Cryptolocker on their machine this week. :/ Of course, no one ever has a backup. This thing really is one nasty trojan... one of the worse I have seen and remember in recent memory. Probably once of the worst ones out there.

I wasn't the tech on the call for it, but one of our clients had a pc come down with this, this week. Blew up all their scans before the antivirus stopped it. Had to explain to the client that without a backup no way to recovered the scanned documents that were lost.
 
Deep-6
(14 items)
 
 
CPUMotherboardGraphicsRAM
Core I5-4690K Asus Maximus VI Gene MSI GAMING 4G GTX 970 gskill sniper 
Hard DriveHard DriveCoolingOS
Samsung 850 evo  Samsung 850 evo Thermalright HR-02 Macho Rev.B Windows 10 Pro 
MonitorKeyboardPowerCase
Acer K242hl Corsair Raptor K30 Seasonic X-650 Fractal Design Arc Mini R2 
MouseAudio
Logitech MX518 Sennheiser - MOMENTUM Over-the-Ear Headphones 
  hide details  
 
Deep-6
(14 items)
 
 
CPUMotherboardGraphicsRAM
Core I5-4690K Asus Maximus VI Gene MSI GAMING 4G GTX 970 gskill sniper 
Hard DriveHard DriveCoolingOS
Samsung 850 evo  Samsung 850 evo Thermalright HR-02 Macho Rev.B Windows 10 Pro 
MonitorKeyboardPowerCase
Acer K242hl Corsair Raptor K30 Seasonic X-650 Fractal Design Arc Mini R2 
MouseAudio
Logitech MX518 Sennheiser - MOMENTUM Over-the-Ear Headphones 
  hide details  
post #82 of 85
So my friend became unfortunate victim of cryptowall or some other cryptovirus. Since he is not much of an tech savvy, I had to clean his system and now the virus is gone. Unfortunately some of his pictures are now encrypted and I guess no way to recover because of the 256bit key?


Luckily his system is super slow and something had interrupted the virus, because he noticed the whole thing days after the damage was done. Now, I'm wondering how the virus works, does it work like windows cut/paste process which first copies all data and after deletes the from the source? Or is so intelligent that it does everything in real-time? Wondering this because the computer was so slow that it didn't have enough time to do much damage before get interrupted by something. There was one folder with 8 pictures and other folder with the same name and also with 8 pictures, but those were encrypted. File size was pretty much the same. So could it be possible that the virus didn't have time to delete all files before getting interrupted by something(virus scannes, unstable reboot or something else)?
post #83 of 85
It copies the file, encrypts the copy and then deletes the original file.
After it finished the encryption in specific folder it generates html and txt file and deletes shadow copy.
There is no way to decrypt it now, there was a slim chance when it was still present on pc.
Edited by DiNet - 2/18/16 at 2:44am
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
post #84 of 85
So, do they actually decrypt the files when you pay them? Or just take the money and run?
AMD
(13 items)
 
Intel
(7 items)
 
Home Server
(11 items)
 
CPUMotherboardGraphicsGraphics
AMD FX-8350 Asus M5A99FX Pro MSI Radeon R9-280x MSI Radeon R9-280x 
RAMHard DriveOptical DriveCooling
Crucial Ballistics 8GB DDR3 Cruical MX100 128GB SSD Samsung DVD-RW Cooler Master Hyper Evo 212 
OSMonitorKeyboardPower
Windows 10 Technical Preview Philips 55PFS6909/12 Logitech MX3200 Chieftec 750W 
Mouse
Khaos Limited Edition 
CPUMotherboardGraphicsRAM
Intel Core i5-4200U ACER BA50 AMD HD8750M 4GB DDR3 
Hard DriveOSMonitor
750GB HDD Windows 10 TP 15,6" 
CPUCPUMotherboardGraphics
AMD Opteron 2373EE AMD Opteron 2373EE Dell Socket Fr5 XGI® Z9s with 32MB DDRII VRAM 
RAMHard DriveOptical DriveCooling
32GB DDRII ECC 1TB HDD 7200rpm N/A Passive 
OSPowerCase
Ubuntu Server 600W Dell PowerEdge CS24-NV7 
  hide details  
AMD
(13 items)
 
Intel
(7 items)
 
Home Server
(11 items)
 
CPUMotherboardGraphicsGraphics
AMD FX-8350 Asus M5A99FX Pro MSI Radeon R9-280x MSI Radeon R9-280x 
RAMHard DriveOptical DriveCooling
Crucial Ballistics 8GB DDR3 Cruical MX100 128GB SSD Samsung DVD-RW Cooler Master Hyper Evo 212 
OSMonitorKeyboardPower
Windows 10 Technical Preview Philips 55PFS6909/12 Logitech MX3200 Chieftec 750W 
Mouse
Khaos Limited Edition 
CPUMotherboardGraphicsRAM
Intel Core i5-4200U ACER BA50 AMD HD8750M 4GB DDR3 
Hard DriveOSMonitor
750GB HDD Windows 10 TP 15,6" 
CPUCPUMotherboardGraphics
AMD Opteron 2373EE AMD Opteron 2373EE Dell Socket Fr5 XGI® Z9s with 32MB DDRII VRAM 
RAMHard DriveOptical DriveCooling
32GB DDRII ECC 1TB HDD 7200rpm N/A Passive 
OSPowerCase
Ubuntu Server 600W Dell PowerEdge CS24-NV7 
  hide details  
post #85 of 85
They decrypt the files.
Done it 6 times by now.
All is fairly automatic. You transfer bitcoins to the wallet and the website will give you download link for decryptor after about 12 hours. Website is live for 72h afaik.
The website is generated for you personally.
Quote:
Originally Posted by MadRabbit View Post

So, do they actually decrypt the files when you pay them? Or just take the money and run?
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
Skylake
(12 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k Asus Maximus VIII Gene GTX 970 Kingston hyperx Savage  
Hard DriveCoolingOSMonitor
Samsung 850 PRO NH-D14 Win 7 Philips 60 
KeyboardPowerCaseMouse
Ducky SHine 4 TX950 Air 540 G502 
  hide details  
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
This thread is locked  
Overclock.net › Forums › Industry News › Software News › [CS/DR] Ransomware on Steroids: Cryptowall 2.0