Overclock.net › Forums › Software, Programming and Coding › Networking & Security › CryptoWall 3.0 - Safe to connect the infected PC to my network?
New Posts  All Forums:Forum Nav:

CryptoWall 3.0 - Safe to connect the infected PC to my network?

post #1 of 7
Thread Starter 
My uncle brought to me his PC which was infected by ransomware CryptoWall 3.0 (according to the ransom message anyway). While I understand that we may not be able to recover the files, the first thing I'd like to do is to clean this PC of the ransomware.

So anyway, my question is, is it safe to connect this infected PC to my network, in order to download the tools required to remove the ransomware? I just want to make sure it doesn't spread to all the PC in my own home.

In my router, there's a wireless setting "Set AP Isolated", the description says this prevents wireless clients from communicating with each other. Would this help protect my PC?

I'm reluctant to use a USB drive as I'm afraid it might infect the USB drive itself and gets spread to my PC the next time I use the drive.

Thanks. My apologies if I seem too paranoid, this is one nightmare I cannot afford to have it happen to my own PC.redface.gif

By the way, if anyone knows of any good ransomware scanner, please do suggest them to me.
    
CPUMotherboardGraphicsRAM
Intel Core i7 930 @ 4.03GHz Gigabyte X58A-UD7 Gigabyte GeForce GTX 970 G1 Gaming Corsair Vengence 12GB 9-9-9-24 
Hard DriveHard DriveOSMonitor
Intel SSD 80GB Western Digital Black 2TB Corsair H50 Dell U2412M 
PowerCaseAudio
Corsair HX1000W Coolermaster HAF 932 Creative X-Fi Titanium 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel Core i7 930 @ 4.03GHz Gigabyte X58A-UD7 Gigabyte GeForce GTX 970 G1 Gaming Corsair Vengence 12GB 9-9-9-24 
Hard DriveHard DriveOSMonitor
Intel SSD 80GB Western Digital Black 2TB Corsair H50 Dell U2412M 
PowerCaseAudio
Corsair HX1000W Coolermaster HAF 932 Creative X-Fi Titanium 
  hide details  
Reply
post #2 of 7
I am not sure if there are any tools that would help get rid of the ransomware on PC's infected with this. There was an article about this here a sometime back that said the only solution would be to backup & restore PC to factory settings. Not doubting your abilities or anything, just saying what i had read, but if you do have certain tools that can help with such encryption, do share though
post #3 of 7
Because of how it works put everything on it you may possibly need beforehand on usb & get to work that way so your not hopping back and forth. Rakhni & Rectors decryptors may work, but doubtful. Theres no cold cut way yet used to decrypt the files CW3 encrypts. So you are best off reinstalling the OS & getting it over with in all honesty.

Even if you get it quarantined...thats the next major hurdle.

for usb drive you can just format it
Vertu
(17 items)
 
  
CPUMotherboardGraphicsGraphics
i7 5930K ASUS X99-DELUXE Nvidia Titan X Nvidia Titan X 
RAMHard DriveHard DriveOptical Drive
Corsair Dominator Platinum AMD R7 480GB SSD Seagate Barracudas Archgon Super-Multi 
CoolingOSMonitorKeyboard
Corsair H110 Windows 7 Enterprise 64bit Yamakasi Catleap Q270 Multi Lolita - Red Switches 
PowerCaseMouseMouse Pad
SuperFlower 1200W Leadex Platinum - White BeQuiet! Silent Base 800 - Silver Logitech G700s Steelseries QcK 
Audio
Asus Xonar DX 
  hide details  
Reply
Vertu
(17 items)
 
  
CPUMotherboardGraphicsGraphics
i7 5930K ASUS X99-DELUXE Nvidia Titan X Nvidia Titan X 
RAMHard DriveHard DriveOptical Drive
Corsair Dominator Platinum AMD R7 480GB SSD Seagate Barracudas Archgon Super-Multi 
CoolingOSMonitorKeyboard
Corsair H110 Windows 7 Enterprise 64bit Yamakasi Catleap Q270 Multi Lolita - Red Switches 
PowerCaseMouseMouse Pad
SuperFlower 1200W Leadex Platinum - White BeQuiet! Silent Base 800 - Silver Logitech G700s Steelseries QcK 
Audio
Asus Xonar DX 
  hide details  
Reply
post #4 of 7
Quote:
Originally Posted by Hornet85 View Post

So anyway, my question is, is it safe to connect this infected PC to my network, in order to download the tools required to remove the ransomware? I just want to make sure it doesn't spread to all the PC in my own home.

In my router, there's a wireless setting "Set AP Isolated", the description says this prevents wireless clients from communicating with each other. Would this help protect my PC?

I don't know about your specific variant of CryptoWall, but from the ones I have seen, it will scan network shared storage and USB devices and look for additional files to encrypt. So in that case, you have some risk. If you can find the process, shut it down, and remove them from startup, you should be ok in this regard.

I don't know how your AP isolation feature works, but if it really prevents communication between hosts on a network, then that should do the trick.
Quote:
Originally Posted by Hornet85 View Post

I'm reluctant to use a USB drive as I'm afraid it might infect the USB drive itself and gets spread to my PC the next time I use the drive.

From the variants that I have seen, it doesn't use USB to spread, although it will try to encrypt files on a USB drive. So as long as the drive is already blank when you plug it in, you should be ok.
post #5 of 7
I have a couple experiences with this variant. I work as desktop support at a corporate level. What i've noticed and documented is that it will only encrypt what it can see. It will only travel through the network and flahsdrives if you go into them and open up the folders etc. For example, if a user goes into the mapped drive while infected it won't infect that drive, but only when the user go into a specific folder and save/open a document in it. Same result with usb drives. Hope this helps.
 
Home Server
(6 items)
 
 
CPUMotherboardRAMHard Drive
intel 4770k asus gryphon corsair vengeance samsung evo 
CoolingOSPowerCase
corsair h100 windows 7 ultimate rm650 caselabs s5 
CPUMotherboardRAMHard Drive
intel 2100 asrock  gskill 4gb crucial m4 64gb 
OSCase
windows server 2012 r2 xion 
  hide details  
Reply
 
Home Server
(6 items)
 
 
CPUMotherboardRAMHard Drive
intel 4770k asus gryphon corsair vengeance samsung evo 
CoolingOSPowerCase
corsair h100 windows 7 ultimate rm650 caselabs s5 
CPUMotherboardRAMHard Drive
intel 2100 asrock  gskill 4gb crucial m4 64gb 
OSCase
windows server 2012 r2 xion 
  hide details  
Reply
post #6 of 7
You need a install disk or recovery disk. Once in a winRE you can use robocopy to copy your data from the offline image to an external drive.
post #7 of 7
Quote:
Originally Posted by koulaid View Post

I have a couple experiences with this variant. I work as desktop support at a corporate level. What i've noticed and documented is that it will only encrypt what it can see. It will only travel through the network and flahsdrives if you go into them and open up the folders etc. For example, if a user goes into the mapped drive while infected it won't infect that drive, but only when the user go into a specific folder and save/open a document in it. Same result with usb drives. Hope this helps.

As a network admin, since the first outbreak of the Crypto viruses, I have seen these programs escalate quickly out of control. I have cleaned this off of around 8 small to medium sized networks since it came out. The only "Safe" thing to do is wipe the machines infected. Most of the new derivatives do not actually encrypt the files with the RSA2048 that it says it is. It just breaks the headers on all of your files. I was able to analyze some of the data in a linux box and look that the actual code of the files and some of the documents can be read, or bits and pieces of hex code. But nothing usable.
 
My desktop
(12 items)
 
First Desktop
(11 items)
 
CPUMotherboardGraphicsGraphics
AMD FX-8350 Vishera @ 4.86 Ghz 1.5V ASUS SABERTOOTH 990FX R2.0 AM3+ AMD 990FX EVGA GTX 660 TI 3GB EVGA GTX 660Ti FTW+ 3GB 
RAMHard DriveOptical DriveCooling
16 GB DDR3 1600 G.Skill Samsung Pro 850 256GB SSD LG BD Corsair H110i 
OSPowerCaseOther
Windows 7x64 Professional CORSAIR HX Series HX750 750W ATX12V Antec LanBoy Air 5 switch fan controller 
CPUMotherboardGraphicsRAM
AMD Phenom X4 965 Black Edition MSI NF750-G55 AM3 NVIDIA nForce 750a SLI HDMI ATX ASUS GTX 550TI 1GB 8GB 1333 DDR3 G. Skill (2x 4GB) 
Hard DriveOptical DriveCoolingOS
1x 500 GB Western Digital Caviar Black 7200RPM Samsung DVD  Stock air Windows 7 Professional x64 
PowerCaseAudio
700 Watt Rosewill Rosewill CHALLENGER Black Gaming ATX Mid Tower ... Integrated  
  hide details  
Reply
 
My desktop
(12 items)
 
First Desktop
(11 items)
 
CPUMotherboardGraphicsGraphics
AMD FX-8350 Vishera @ 4.86 Ghz 1.5V ASUS SABERTOOTH 990FX R2.0 AM3+ AMD 990FX EVGA GTX 660 TI 3GB EVGA GTX 660Ti FTW+ 3GB 
RAMHard DriveOptical DriveCooling
16 GB DDR3 1600 G.Skill Samsung Pro 850 256GB SSD LG BD Corsair H110i 
OSPowerCaseOther
Windows 7x64 Professional CORSAIR HX Series HX750 750W ATX12V Antec LanBoy Air 5 switch fan controller 
CPUMotherboardGraphicsRAM
AMD Phenom X4 965 Black Edition MSI NF750-G55 AM3 NVIDIA nForce 750a SLI HDMI ATX ASUS GTX 550TI 1GB 8GB 1333 DDR3 G. Skill (2x 4GB) 
Hard DriveOptical DriveCoolingOS
1x 500 GB Western Digital Caviar Black 7200RPM Samsung DVD  Stock air Windows 7 Professional x64 
PowerCaseAudio
700 Watt Rosewill Rosewill CHALLENGER Black Gaming ATX Mid Tower ... Integrated  
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › CryptoWall 3.0 - Safe to connect the infected PC to my network?