Page 1 of 2 12 LastLast
  1.    09 Dec 2015 #1
    Join Date : Jul 2015
    Posts : 860
    Windows 10 Home x64

    Recover encrypted files by virus


    Hello people.

    A friend of mine brought his computer to me to see if I am able to clear an encrypted mess done by a virus. Is it possible to recover that encrypted data? I know it may be almost impossible due to the lack of private key but I have an app called rannohdecrypter (made by Kaspersky Labs I think) that it's able to decrypt files provided you have got any file in both encrypted/unencrypted form.

    Any other ideas on how to proceed?
      My ComputerSystem Spec
  2.    10 Dec 2015 #2
    Join Date : Oct 2014
    In a house with a crazy cat trying to kill me
    Posts : 16,268
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition

    Depends on the variant, some of the locker viruses can be undone, others not so easily or at all. There are some keys published online for certain variants of locker viruses. Have a look here & doing a Google search on the type of locker virus may yield some results or databases with decryption keys.

    Best to verify that the decrypter you are going to use is indeed made to handle that particular infection.

    Locker Ransomware Information Guide and FAQ
      My ComputerSystem Spec
  3.    10 Dec 2015 #3
    Join Date : Jul 2015
    Posts : 860
    Windows 10 Home x64
    Thread Starter

    The virus is Cryptowall v3.0

    I have recovered some files by digging in the filestructure. I have now some files both encrypted and decrypted. I wish there was some sort of decrypter ( la Rannohdecrypter made by Kaspersky) that would allow to decrypt your files by providing an encrypted/decrypted pair.

    I will take a look at the link you posted. Thanks.

    Any more help would be greatly appreciated.
      My ComputerSystem Spec
  4.    10 Dec 2015 #4
    Join Date : Oct 2014
    In a house with a crazy cat trying to kill me
    Posts : 16,268
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition

    Hopefully this will aid in the decryption of the files. I wish you luck.

    CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

    When CryptoWall encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
    Recovering Files Infected By CryptoLocker Or CryptoWall - Code42 Support

    You might want to mention to your friend the benefits of having a system image in case this happens down the road. Keep it on a USB/HDD that is not connected to the PC/Lappy at all times. Keep several previous copies in case he inadvertently makes one with a virus. I know it doesn't help now, but in case it happens again, it can be a lifesaver for personal data.

    System Image - Create in Windows 10 - Windows 10 Forums
      My ComputerSystem Spec
  5.    10 Dec 2015 #5
    Join Date : Jul 2015
    Posts : 860
    Windows 10 Home x64
    Thread Starter

    Thanks. This shit is getting nastier every version released. v4.0 now even encrypts filenames.

    It looks grim for this computer but tomorrow I am doing a full partition backup, remove any traces of virus, and give lockerunlocker a try.

    I am having extra trouble because the pc is quite old (P4 2003) and it's running WinXP. There are also at least five different partitions among two physical hard drives and it's all quite messy to be honest.
      My ComputerSystem Spec
  6.    10 Dec 2015 #6
    Join Date : Apr 2015
    Posts : 12,600
    W10Prox64

    Oh, bad situation. So sorry about this.
    It's my understanding that the Cryptowall virus makes a copy of the file, encrypts it, then deletes the original. You may be able to get some of the files back using recovery software. However, the more you use the computer, the less likely you are to recover any files. I would remove the drive, hook it up on a USB adapter and run a recovery program (or two) on it after you make a copy of that partition. Oh, and I would recommend making a Macrium Reflect Clone, using Forensic Sector Copy, which will copy everything - even the stuff that's been deleted and is invisible to the system. Then you will have access to anything that is recoverable using a recovery program, saved as well. @Borg 386 gave you some very good links there. The guys at Bleeping Computer are your best bet for help with this. Good luck - you're gonna need it!
      My ComputerSystem Spec
  7.    11 Dec 2015 #7
    Join Date : Jul 2015
    Posts : 860
    Windows 10 Home x64
    Thread Starter

    Yes. I have been able to recover some folders with photos using this method. In the end I have just repartitioned and reformatted it. It was really a mess, and Cryptowall wasn't the only infection present.

    Thanks for all the pointers guys.
      My ComputerSystem Spec
  8.    11 Dec 2015 #8
    Join Date : Jul 2015
    Posts : 3,655
    10 Pro

    Did the rannohdecrypter work then?

    I guess they would be a bit dumb to encrypt everything the same way...
      My ComputerSystem Spec
  9.    11 Dec 2015 #9
    Join Date : Oct 2014
    In a house with a crazy cat trying to kill me
    Posts : 16,268
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition

    Quote Originally Posted by eLPuSHeR View Post
    Yes. I have been able to recover some folders with photos using this method. In the end I have just repartitioned and reformatted it. It was really a mess, and Cryptowall wasn't the only infection present.

    Thanks for all the pointers guys.
    Glad you got some of it back. Yeah, sounds like a mess. Don't ya love it

    I love when someone gives me a lappy & asks if I can fix it, I bring it home, fire it up & all I see is a black screen with a blinking cursor. Don't laugh, it's happened a few times
      My ComputerSystem Spec
  10.    12 Dec 2015 #10
    Join Date : Jul 2015
    Posts : 860
    Windows 10 Home x64
    Thread Starter

    Quote Originally Posted by lx07 View Post
    Did the rannohdecrypter work then?

    I guess they would be a bit dumb to encrypt everything the same way...
    No. There isn't any decryptor currently available for CrytoWall (Cryptodefense) virus. I tried several of them but they all threw some error messages at me.
      My ComputerSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
recover deleted files
Hello, I realise this problem would be similar regardless of which Windows being used. I partitioned my HD and moved documents to new partition. Mistakenly removed the partition without restoring files. Is there any way of recovering the lost...
General Support
How do I recover my deleted files after upgrading to Windows 10?
Hi guys, I was using Windows 8.1 then upgraded to Windows 10, but all of my personal files has deleted and I tried best of recovery programs and they're not helped me. So, if I roll back to my previous version of Windows, does my personal files...
General Support
Trying to Recover files. I can see them but not find them.
I was looking for a forum for OneDrive but don't see one... Sorry; I'm new around here! I had a computer completely die (won't boot, Hard Drive won't spin). I have a backup from April but would like to find newer the files if I can! I had...
General Support
Is it Possible to Recover Files from Windows 8->8->10?
Hi, My boyfriend was running a bootlegged version of Windows 8. I reinstalled his Windows to a legitimate version of Windows 8 so that he could get the free upgrade upgrade to Windows 10. When we went from Windows 8-->Windows 8, the only...
Performance & Maintenance
Recover personal files from hard drive using USB enclosure.
My friend has been using AutoCAD on fairly new Windows 10 install. No problems till today when he got an error stating he needed to reinstall the OS. I didn't see the error before he shut down. To be safe he pulled his hard drive and asked me to...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:49.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums