geekhack

geekhack Community => Other Geeky Stuff => Topic started by: Hundrakia on Sat, 16 August 2014, 00:09:57

Title: CryptoWall
Post by: Hundrakia on Sat, 16 August 2014, 00:09:57

So this is a fun ransomware that the sister in law got. It encrypts pour documents with RSA-2048 where the public keys are offsite. Easy to purge the malware, hard to unencrypt the documents.

Title: Re: CryptoWall
Post by: Hundrakia on Sat, 16 August 2014, 00:10:46

Anyone with any experience have insight?

Title: Re: CryptoWall
Post by: jalaj on Sat, 16 August 2014, 00:14:19

Best to start here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Title: Re: CryptoWall
Post by: Hundrakia on Sat, 16 August 2014, 00:32:40

Quote from: jalaj on Sat, 16 August 2014, 00:14:19

Best to start here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Yeah. That I had found prior, thank you though!

Title: Re: CryptoWall
Post by: dorkvader on Sat, 16 August 2014, 15:38:42

I recommend attempting to recover what you can with file recovery tools. I have had good amount of success with cgsecurity (http://www.cgsecurity.org/wiki/) tools, photorec and testdisk.

I further recommend regular backups (offsite if possible) of important information.

Best of luck!

Title: Re: CryptoWall
Post by: Hundrakia on Sat, 16 August 2014, 16:06:09

This strain destroyed any shadow copy, and encrypted the backup heh. I'll try the aforementioned tools, hopefully I can bring her good news of recovered files before too long.

Title: Re: CryptoWall
Post by: dorkvader on Sun, 17 August 2014, 09:21:16

I have had good success with photorec, but it will take a really long time to run (like a week or more). It's meant to get anything salvageable off a corrupt compactflash card.

Testdisk will sort through partitions looking for old / deleted ones: most likely won't work here.

I think your best option is to grab anything that looks like a file from the "empty" space in the HDD. For that purpose, DDrescue is likely your best bet. Here's a good howto / article I found pretty quick:
http://www.forensicswiki.org/wiki/Ddrescue

I only started using this later on a little, so I don't have as much experience, but once I got started with it, it was great. I don't remember if I was using DD_rescue or DDrescue, as I think the debian / Ubuntu repos have it named slightly differently (like gddrescue or something stupid). My method was to boot a light linux image (modified from one called crunchbang, based on debian) to RAM, then load the app from the same flashdrive, but you can just download it and run it normally once you are booted to the live environment. Either option works well, provided you have like 2GB or more of RAM, and depending on the size of your linux distro.

Title: Re: CryptoWall
Post by: ddot on Tue, 19 August 2014, 17:07:13

There was a few articles floating around a few days ago regarding a company that had been able to reverse engineer some of the private keys for CryptoLocker.  If CryptoWall is a variant, then it might not be of any use to you, but just passing it on in case it was.

http://www.theregister.co.uk/2014/08/06/decryptolocker/

Title: Re: CryptoWall
Post by: Hundrakia on Tue, 19 August 2014, 17:39:22

It is a variant, CryptoLocker was brought down and the server seized (iirc) so the public keys were made available I believe, whole CryptoWall still is at large.