Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.


*

never

  • *****
  • 119
  • +23/-0
  • Network Administrator and Malware Researcher
      • View Profile
  • Publish
  • How to Remove CryptoWall 4.0 and Restore Your Data?
    « on: November 06, 2015, 03:03:03 pm »
    Hello
    Today is a busy day for the IT security community. CryptoWall 4.0 is back in full power and the news are not very bright. It has been identified to be way more vicious than its predecessors. Here are some of the key improvements that this nasty ransomware that make it even a bigger threat:
    • Reported to use different and custom file extensions.
    • Reported to rename the filenames as well.
    • Reported to demand 700 dollars from its victims
    • Features an even more intimidating and annoying message, mocking the user.
    However, the ransomare also has some similarities to the previous versions:
    • Encrypts user data with strong encryption and leaves files on the desktop (HELP_YOUR_FILES.txt HELP_YOUR_FILES.png HELP_YOUR_FILES.txt
    • Uses a strong encryption algorhitm that is near impossible to decrypt.
    • Creates registry entries, malicious executables and modifies Windows data.
    • Uses emails to infect users.
    You may remove CryptoWall 4.0 using the instructions in the following topic:

    http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/msg180/#msg180

    Here are several file decryption manuals, regarding CryptoWall 4.0:
    Method 1:
    http://sensorstechforum.com/remove-rsa-2048-encryption-key-from-cryptowall-3-0/
    Method 2:
    http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/

    This is an open forum discussions. In case you want to ask for help, share your experience or simply discuss CryptoWall in general, this is the place for you. We will attempt to help and answer all of the questions regarding CryptoWall adequaely and in a timely manner.
    Guilty is the love of The Sin.

  • Publish
  • Re: How to Remove CryptoWall 4.0 and Restore Your Data?
    « Reply #1 on: November 10, 2015, 11:19:38 am »
    wow... this thing has become quite the business... nasty stuff  :o

  • Publish
  • Re: How to Remove CryptoWall 4.0 and Restore Your Data?
    « Reply #2 on: January 12, 2016, 11:24:04 am »
    Nice forum, but how did you get the Key to Decrypt the file?
    When I use "python ./decrypt.py “Myfile.xlsx”", I have an error "cannot read Header"


    *

    never

    • *****
    • 119
    • +23/-0
    • Network Administrator and Malware Researcher
        • View Profile
  • Publish
  • Re: How to Remove CryptoWall 4.0 and Restore Your Data?
    « Reply #3 on: January 23, 2016, 01:01:16 pm »
    Hello mo.narjis,

    This may be due to several reasons:


    -For every file, the private key is different. Python uses factorization in order to establish the private key based on the public key. For CryptoWall  4.0 a new updated and stronger algorhithm has been used which makes it more difficult to decrypt your files.

    -You may have made a mistake. Check you files carefully and go through the steps again. One small comma in the code may be the reason.

    -You have more than one algorhitm with which your files are encrypted. It is possible that the file is different algorithm and this is why the software does not identify the header.

    -The file is not on your hard drive. Users have reported on forums that this was due to their files being on a CD drive or a USB stick.

    To establish where the issue exactly may be originating from, we need you to upload screenshots on your reply or quote exactly what the error message states.

    Thanks
    Guilty is the love of The Sin.

    *

    Dextrosia

    • *
    • 1
    • +0/-0
        • View Profile
  • Publish
  • Re: How to Remove CryptoWall 4.0 and Restore Your Data?
    « Reply #4 on: July 27, 2017, 10:55:28 am »
    Hi There

    I was hit with the Cyrptowall 4_0 ransomware about 2 years back.
    Back then I did not have the money to pay the ransom, and as such, I kept a backup of all my encrypted files (Plenty Family Photos and Videos of my Kids from their time of birth 12 yrs ago)
    It was/is the only photos/videos I have of them during that period of their life, So it was as great blow needless to say.
    Fast-Forward 2 years on, and my financial position has considerably increased somewhat to the point where I would be able/prepared to try this route of paying the ransom for the encryption codes.
    Only problems I am faced with now is:

    1) How do I go about to getting hold of the unsavoury characters again to attempt this? Would anyone maybe have a working url / link where I could try to get hold of these guys?
    And
    2) As I no longer have the laptop where the files were originally encrypted on (I copied all the encrypted files over to a external hdd to be used on my new laptop) would it even still be possible to decrypt them anymore as well?

    Many Thanks,
    Gary 

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: How to Remove CryptoWall 4.0 and Restore Your Data?
    « Reply #5 on: July 28, 2017, 02:37:12 pm »
    Hi There

    I was hit with the Cyrptowall 4_0 ransomware about 2 years back...

    Hello, Gary.

    Sadly, the Cryptowall 4 virus is not spreading like it used to and the Angler Exploit Kit is gone now. That means that the malware authors have probably made the money they wanted and stopped pushing it. Maybe you have a ransom note or a picture of it, from where you can check for an e-mail or a TOR network page, like in the example below:



    As far as I remember on the .html page there wasn't any e-mails left, but just the payment system which is opened in TOR.
    *Checking*

    Ok, so if the ransom note looked as the one above, you should have only a URL address pointed out on the TOR network, which is an automated system for payment and I couldn't find a working one. You might find one if you look for ransom notes for CryptoWall 4 and previous variants...

    As regarding to the other question - if you somehow find and contact the cybercriminals and write to them that you moved your files, regardless of payment or not, they might still not help you. Usually ransomware authors say that it is your fault for not paying in time and for moving the files. So, even then their decryptor might not work, unless some fies of the virus are on your PC.

    I don't think you can recover your files now, but keep your hope alive as there might be a new version of the virus and the malware creators could release a MASTER decryption key for the older versions (you never know)...

    Best of luck and I am sorry that I can't help you further. :(

    Kind Regards,
    Execute
    There is no place like 127.0.0.1

     


    Facebook Comments