Cryptowall

Call from someone who got hit with the Cryptowall malware. Clicked on an attachment. Using Workstation PSB on Windows 7 PC. Unfortunately, not all of the important files that were encrypted were backed up off-site. Looking at biting the bullet and paying for the private key. It is not at all clear if they will provide the private key even if paid. Anyone have experience with this? Not sure how this got by F-Secure. I realize it is difficult if the user launches a malicious application via an email attachment, but still.... If any of you in-house tech support folks have anything helpful, please let me know. This is a very nasty one.

Accepted Answer

Comments

  • CyberNOSCyberNOS Posts: 10
    FWIW, the person who got hit says he did NOT click on the attachment.
  • SimonSimon Posts: 2,653 Superuser
    Hopefully one of the F-Secure support team will respond to this, but the first question they may well ask is, was the product the latest version and had it been fully updated?
  • CyberNOSCyberNOS Posts: 10
    Yes, latest version. Last automatic update was yesterday, 6/3/14.
  • SimonSimon Posts: 2,653 Superuser
    OK. I don't have enough knowledge of this to be able to comment further. I believe the Online Scanner would remove the virus, if that's any use now, but as far as releasing the files goes, from what I've heard and read, that's something more of a challenge, if possible at all.
  • CyberNOSCyberNOS Posts: 10
    They claim to be using RSA 2048-bit encryption, so brute force is out. I'm looking to see if anyone else ever had to pay, and if so, if they ever got the private key as promised (by criminals). I would also like to know how this happened with F-Secure Workstation PSB on the system, though that is for future decision making.
  • BenBen Posts: 2,641 F-Secure Product Expert

    Hello CyberNOS,

     

    To clarify what variant your user is facing and assess better the situation, please submit a sample to our lab.

    By creating an account and explaining the situation in the message field in the submission form, our lab be should able to provide you with more details on the infection.

  • Looking for any advice for recovery of encrypted files due to an 11/6 infection of CryptoWall 2.0 on my home PC running Windows 7 (Home Premium.) Is there any work underway to develop a decrypt solution for this variant? If so, what is the probability of a successful outcome? When would one estimate availability?
  • I asked the same thing when I was dealing with this a while back. Unfortunately a CryptoWall infection typically uses 2048-bit encryption, which is virtually uncrackable. Maybe the NSA has the horsepower in a cave somewhere, but probably not. The only recommendation I can make to you is to verify the files are actually encrypted and not just the headers changed (use a hex editor and compare an encrypted file to an unencrypted one). Also, look to see if the private key got placed on the infected PC someplace. Unlikely, but in earlier versions that appears to have happened. You will probably find that there is nothing you can do about this. My client had to pay up but did get all the files decrypted.
    Ukko
This discussion has been closed.