You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

viper_iii

  • *
  • 1
  • +0/-0
      • View Profile
Old CryptoWall 2.0 Files
« on: June 19, 2016, 05:48:39 pm »
Have quite a few files that were encypted with cryptowall 2.0 (oct 2014) still around and wanted to try the ubuntu decrypt.py method on them...

have moved the files off of original drives - the shadow copies were removed and these were files on the local systems - so backups didn't exist - network files were not an issue & had backups available.

http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/

Read that and due to that being an old article many issues came up..

initially default python install from install of 16.04 = 2.7.x not the 3.x

install 3.x branch and still get errors.

found that 2.x is still required per:
http://sensorstechforum.com/forums/malware-removal-questions-and-guides/how-to-fix-decrypt-py-'syntaxerror-missing-parentheses-in-call-to-print/

so when running under 2.x via normal with cryptowall 2.0 encrypted files (which have their normal extention)

I get:
$ python ./decrypt.py "PIC1.JPG"
Traceback (most recent call last):
 File "./decrypt.py", line 29, in <module>
    From Crypto.Cipher import AES
ImportError: No module named Crypto.Cipher

just wondering if there is an updated instruction to start hammering away and see if some of these files can be decrypted via this tool?

found a few useful updates:

sudo apt-get install autoconf g++
(sudo not necessary for next lines)
pip install pycrypto
pip install --upgrade pip


New error after getting past Crypto.Cipher
Error parsing file footer - cryptowall probably not able to decrypt at all it appears...
----
reloaded ubuntu complete and re-working
download decrypt.py file and save to /home

sudo apt-get install sqlite3 libsqlite3-dev
sudo apt-get install ruby-dev
sudo apt-get install sqlite3-dev (not found)
sudo gem install sqlite3
sudo gem install sqlite3-ruby
sudo apt-get install autoconf g++
sudo apt install python-pip
pip install pycrypto
pip install --upgrade pip
download current cado-nfs
https://gforge.inria.fr/frs/?group_id=2065
https://gforge.inria.fr/frs/download.php/latestfile/2513/cado-nfs-2.2.0.tar.gz
extract
sudo apt-get install libgmp3-dev (no go on libgmp3c2)
cd cado-nfs*
make
still unable to make :
CMake Error at config/gmp.cmake:55 (message): gmp.h cannot be found. Please install Gnu MP, and specify its install prefix in local.sh
ARGH....
decrypt.py isn't really built for cryptowall anyway it looks like - but figured why not try... but not happening it looks like anyway!
« Last Edit: June 20, 2016, 12:39:06 am by viper_iii »

*

never

  • *****
  • 122
  • +26/-0
  • Network Administrator and Malware Researcher
      • View Profile
Re: Old CryptoWall 2.0 Files
« Reply #1 on: June 21, 2016, 10:06:41 am »
Hello,

Yes, I understand what you were going through, I have met similar errors whilst testing the manual. But this is how ubuntu works. If you do not know what is needed, it tells you. To install the missing module simply type:

sudo apt-get install libgmp3c2 libgmp3-dev
 
If you want to do everything manuall you can try with root but it isnt really advisable:
 
sudo make install

Oh yes, and if you haven't typed  the following python installation command, type it:

sudo apt-get install python3 python-sqlite python-pysqlite2

Best Regards,
Never
« Last Edit: June 21, 2016, 10:08:52 am by never »