Cryptowall

CyberNOS

Call from someone who got hit with the Cryptowall malware. Clicked on an attachment. Using Workstation PSB on Windows 7 PC. Unfortunately, not all of the important files that were encrypted were backed up off-site. Looking at biting the bullet and paying for the private key. It is not at all clear if they will provide the private key even if paid. Anyone have experience with this? Not sure how this got by F-Secure. I realize it is difficult if the user launches a malicious application via an email attachment, but still.... If any of you in-house tech support folks have anything helpful, please let me know. This is a very nasty one.

CyberNOS

FWIW, the person who got hit says he did NOT click on the attachment.

Simon

Hopefully one of the F-Secure support team will respond to this, but the first question they may well ask is, was the product the latest version and had it been fully updated?

CyberNOS

Yes, latest version. Last automatic update was yesterday, 6/3/14.

Simon

OK. I don't have enough knowledge of this to be able to comment further. I believe the Online Scanner would remove the virus, if that's any use now, but as far as releasing the files goes, from what I've heard and read, that's something more of a challenge, if possible at all.

CyberNOS

They claim to be using RSA 2048-bit encryption, so brute force is out. I'm looking to see if anyone else ever had to pay, and if so, if they ever got the private key as promised (by criminals). I would also like to know how this happened with F-Secure Workstation PSB on the system, though that is for future decision making.

[Deleted User]

Hello CyberNOS,

 

To clarify what variant your user is facing and assess better the situation, please submit a sample to our lab.

By creating an account and explaining the situation in the message field in the submission form, our lab be should able to provide you with more details on the infection.

PrimozK

I found this:

Maybe it is the same thing?

 

http://www.theregister.co.uk/2014/04/03/cryptodefense_rsa_private_key_on_disk/

Doug64

Looking for any advice for recovery of encrypted files due to an 11/6 infection of CryptoWall 2.0 on my home PC running Windows 7 (Home Premium.) Is there any work underway to develop a decrypt solution for this variant? If so, what is the probability of a successful outcome? When would one estimate availability?

CyberNOS

I asked the same thing when I was dealing with this a while back. Unfortunately a CryptoWall infection typically uses 2048-bit encryption, which is virtually uncrackable. Maybe the NSA has the horsepower in a cave somewhere, but probably not. The only recommendation I can make to you is to verify the files are actually encrypted and not just the headers changed (use a hex editor and compare an encrypted file to an unencrypted one). Also, look to see if the private key got placed on the infected PC someplace. Unlikely, but in earlier versions that appears to have happened. You will probably find that there is nothing you can do about this. My client had to pay up but did get all the files decrypted.

CyberNOS

Update on this issue: From what I have been able to gather, after talking to the Michigan State Police and the folks at the F-Secure labs, this was a zero-day, drive-by attack. The MSP have been seeing this get in from malicious scripts in pop-up ads on the web pages of reputable sites. (Failure to properly vet the ads by the sub-contractors populating the web pages with the pop-ups.) Looking at the date of infection, it became clear that F-Secure PSB Workstation DID indeed identify the malware, but not until the update that happened (literally) the day after the infection. Bad luck and bad timing..... I now strongly recommend that all of my clients install noscript and adblock plus into their web browsers. My client did have to pay, but the files were decrypted as promised. If you have to go this route, be advised that the most time consuming thing was getting the bitcoins set up to pay. It took so long that we missed the deadline and had to pay double!