SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Internet and Networking Security => Topic started by: Execute on October 13, 2015, 01:18:20 pm

Title: Help Decrypt Files Encrypted by Cryptowall 3.0
Post by: Execute on October 13, 2015, 01:18:20 pm
Cryptowall has become a very devastating ransomware. It encrypts files on your computer and asks for a large ransom to “potentially” get them back via an encryption key. There is no telling that if you pay, all of your files will be restored or that you will be provided with a key, and if that key would work or not.

In Cryptowall 1.0, the ransomeware made a copy of important files and encrypted it, while just deleting the original files. In this way, the original files could be recovered with data recovery tools. Then Cryptowall 2.0 came in, with that restoration ability gone as it also could delete Shadow Volume copies of Windows and system restore points as well. It was also using individual TOR gateways for payment for each user that fells victim to it. By using a private TOR network, the creators can stay hidden from authorities. The RakhniDecryptor.exe and RectorDecryptor.exe from Kaspersky are tools that could be used in order to decrypt at least some files, although those tools were made specifically for other ransomware Trojans.

Cryptowall 3.0 - the latest version, encrypts your files using a mixture of RSA and AES encryption, which can be “unlocked” only by a private decryption key that only the creators of the ransomware know. The RSA cryptosystem used in Cryptowall 3.0 may vary from 1,024 to 4,096 bits, and the 256-bit length of the AES key used, makes the encryption so strong that it can take literally billions of years to brute-force all the possible variations of the decrypting key with a super-computer. It would take 1 billion years to crack a 128-bit encryption key with a super-computer, experts say. Also, the AES algorithm encrypts files many times – the more bits it is, the more times it encrypts a file. Not to mention that some users report that Cryptowall 3.0 uses Chinese characters – modern Chinese contains more than 3,000 symbols in its alphabet, so any attempt to crack the code seems really infeasible.
Here is our article about Cryptowall 3.0 -  http://sensorstechforum.com/remove-cryptowall-3-0-and-restore-the-encrypted-files/#comment-16407 (http://sensorstechforum.com/remove-cryptowall-3-0-and-restore-the-encrypted-files/#comment-16407).

You can remove the dreadful virus with an advanced anti-malware program, but most of your files might remain locked. So far, there is no real solution found to help decrypting files of the victim users. The ransomware is built by people, so there might be a weak-link to be found somewhere.

Do you have any ideas? What do you think should be done? What methods have you tried and what have you done to prevent such an attack from happening?