Cryptowall

Call from someone who got hit with the Cryptowall malware. Clicked on an attachment. Using Workstation PSB on Windows 7 PC. Unfortunately, not all of the important files that were encrypted were backed up off-site. Looking at biting the bullet and paying for the private key. It is not at all clear if they will provide the private key even if paid. Anyone have experience with this? Not sure how this got by F-Secure. I realize it is difficult if the user launches a malicious application via an email attachment, but still.... If any of you in-house tech support folks have anything helpful, please let me know. This is a very nasty one.
0 Like
Best Answer
-
CyberNOS Posts: 10
Update on this issue: From what I have been able to gather, after talking to the Michigan State Police and the folks at the F-Secure labs, this was a zero-day, drive-by attack. The MSP have been seeing this get in from malicious scripts in pop-up ads on the web pages of reputable sites. (Failure to properly vet the ads by the sub-contractors populating the web pages with the pop-ups.) Looking at the date of infection, it became clear that F-Secure PSB Workstation DID indeed identify the malware, but not until the update that happened (literally) the day after the infection. Bad luck and bad timing..... I now strongly recommend that all of my clients install noscript and adblock plus into their web browsers. My client did have to pay, but the files were decrypted as promised. If you have to go this route, be advised that the most time consuming thing was getting the bitcoins set up to pay. It took so long that we missed the deadline and had to pay double!6 1Like
This discussion has been closed.
Comments
Hello CyberNOS,
To clarify what variant your user is facing and assess better the situation, please submit a sample to our lab.
By creating an account and explaining the situation in the message field in the submission form, our lab be should able to provide you with more details on the infection.
I found this:
Maybe it is the same thing?
http://www.theregister.co.uk/2014/04/03/cryptodefense_rsa_private_key_on_disk/