CryptoWall

[Hundrakia]

So this is a fun ransomware that the sister in law got. It encrypts pour documents with RSA-2048 where the public keys are offsite. Easy to purge the malware, hard to unencrypt the documents.

[Hundrakia]

Anyone with any experience have insight?

[jalaj]

Best to start here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

[Hundrakia]

Best to start here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Yeah. That I had found prior, thank you though!

[dorkvader]

I recommend attempting to recover what you can with file recovery tools. I have had good amount of success with cgsecurity tools, photorec and testdisk.

I further recommend regular backups (offsite if possible) of important information.

Best of luck!

[Hundrakia]

This strain destroyed any shadow copy, and encrypted the backup heh. I'll try the aforementioned tools, hopefully I can bring her good news of recovered files before too long.

[dorkvader]

I have had good success with photorec, but it will take a really long time to run (like a week or more). It's meant to get anything salvageable off a corrupt compactflash card.

Testdisk will sort through partitions looking for old / deleted ones: most likely won't work here.

I think your best option is to grab anything that looks like a file from the "empty" space in the HDD. For that purpose, DDrescue is likely your best bet. Here's a good howto / article I found pretty quick:
http://www.forensicswiki.org/wiki/Ddrescue

I only started using this later on a little, so I don't have as much experience, but once I got started with it, it was great. I don't remember if I was using DD_rescue or DDrescue, as I think the debian / Ubuntu repos have it named slightly differently (like gddrescue or something stupid). My method was to boot a light linux image (modified from one called crunchbang, based on debian) to RAM, then load the app from the same flashdrive, but you can just download it and run it normally once you are booted to the live environment. Either option works well, provided you have like 2GB or more of RAM, and depending on the size of your linux distro.

[ddot]

There was a few articles floating around a few days ago regarding a company that had been able to reverse engineer some of the private keys for CryptoLocker.  If CryptoWall is a variant, then it might not be of any use to you, but just passing it on in case it was.

http://www.theregister.co.uk/2014/08/06/decryptolocker/

[Hundrakia]

It is a variant, CryptoLocker was brought down and the server seized (iirc) so the public keys were made available I believe, whole CryptoWall still is at large.