Hello people.
A friend of mine brought his computer to me to see if I am able to clear an encrypted mess done by a virus. Is it possible to recover that encrypted data? I know it may be almost impossible due to the lack of private key but I have an app called rannohdecrypter (made by Kaspersky Labs I think) that it's able to decrypt files provided you have got any file in both encrypted/unencrypted form.
Any other ideas on how to proceed?
Depends on the variant, some of the locker viruses can be undone, others not so easily or at all. There are some keys published online for certain variants of locker viruses. Have a look here & doing a Google search on the type of locker virus may yield some results or databases with decryption keys.
Best to verify that the decrypter you are going to use is indeed made to handle that particular infection.
Locker Ransomware Information Guide and FAQ
The virus is Cryptowall v3.0
I have recovered some files by digging in the filestructure. I have now some files both encrypted and decrypted. I wish there was some sort of decrypter (à la Rannohdecrypter made by Kaspersky) that would allow to decrypt your files by providing an encrypted/decrypted pair.
I will take a look at the link you posted. Thanks.
Any more help would be greatly appreciated.
Hopefully this will aid in the decryption of the files. I wish you luck.
CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ
Recovering Files Infected By CryptoLocker Or CryptoWall - Code42 SupportWhen CryptoWall encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
You might want to mention to your friend the benefits of having a system image in case this happens down the road. Keep it on a USB/HDD that is not connected to the PC/Lappy at all times. Keep several previous copies in case he inadvertently makes one with a virus. I know it doesn't help now, but in case it happens again, it can be a lifesaver for personal data.
System Image - Create in Windows 10 - Windows 10 Forums
Thanks. This shit is getting nastier every version released. v4.0 now even encrypts filenames.
It looks grim for this computer but tomorrow I am doing a full partition backup, remove any traces of virus, and give lockerunlocker a try.
I am having extra trouble because the pc is quite old (P4 2003) and it's running WinXP. There are also at least five different partitions among two physical hard drives and it's all quite messy to be honest.
Oh, bad situation. So sorry about this.
It's my understanding that the Cryptowall virus makes a copy of the file, encrypts it, then deletes the original. You may be able to get some of the files back using recovery software. However, the more you use the computer, the less likely you are to recover any files. I would remove the drive, hook it up on a USB adapter and run a recovery program (or two) on it after you make a copy of that partition. Oh, and I would recommend making a Macrium Reflect Clone, using Forensic Sector Copy, which will copy everything - even the stuff that's been deleted and is invisible to the system. Then you will have access to anything that is recoverable using a recovery program, saved as well. @Borg 386 gave you some very good links there. The guys at Bleeping Computer are your best bet for help with this. Good luck - you're gonna need it!
Yes. I have been able to recover some folders with photos using this method. In the end I have just repartitioned and reformatted it. It was really a mess, and Cryptowall wasn't the only infection present.
Thanks for all the pointers guys.
Did the rannohdecrypter work then?
I guess they would be a bit dumb to encrypt everything the same way...
Quote
