Cryptowall Trojan

And Shadow Explorer

By on June 14, 2014 9:12:05 AM from JoeUser Forums JoeUser Forums

Dr Guy

Join Date 09/2004
+129

I recently was blessed with a user who was fooled by an email about a package and tracking.  The email of course had nothing to do with a shipping company, but contained Cryptowall, a variant of the Cryptodefender trojan.  And it was methodical.  After basically locking them out of all their databases for a day while it did its business, it popped up the obligatory message about all the files being encrypted with an RSA 2048 key, and if you did not give them $500 in bitcoins (that one was new to me, but I guess they are untraceable), you would never see your files again.

Needless to say the lady was panic stricken.  And I was ashen.  It got her computer and every shared drive on the network.  That was years worth of stuff.  She called me about 5:30 on a Thursday, and I told her to stop everything and I would start looking at it that night (thank god for Teamviewer).

It was that bad.  Every picture, word document, text file, spreadsheet, etc.  EVERYTHING.  As I said, it was methodical.

So I took a day off work, explaining to my boss what had happened, and headed over to the Church.  I had turned off the shares so that on the odd chance the trojan had left some infecting mechanism on them, none of the other 10 computers would be infected.  And started running Malwarebytes and Eset Online Scanner on every computer in safe mode (with networking).  All the other 10 computers came up clean (well, they did not have Cryptowall, but they did have other less fatal bugs).  But neither Eset nor Malwarebytes would run to conclusion on the "Trojan Prime" computer, so I worked on it over night.  I managed to get it to run to conclusion (and hence how I found it was a phony shipping company email) by limiting what it scanned for successive scans until I was able to run a complete scan.

The Trojan was gone.  But what to do about the data?  Fortunately I had set up a backup program.  A simple affair that backed up the data to a jump drive, full on Friday and then incremental the rest of the week.  Each Friday, someone was supposed to take the drive off site (home with them) and put the second drive in.  I do not know if that had been happening, but at least the backup was still running!  SO I was able to restore the data on the server to the night before the infection. 

But what about "Trojan Prime"?  I could see no way around it.  Her files looked like toast.  But I downloaded and ran recuva, hoping to find some deleted files that had escaped encryption and restore them.  What I found surprised me (ok, so I am not keeping up with what Microsoft is doing).  Microsoft had ported Shadow Copy to Windows Vista (and beyond)!  I was familiar with it as I have worked with Windows 2003, but how to get to the shadow copies without doing a complete restore?

Bing (or Google - YMMV) is your friend.  Yep, I asked Bing and it told me about "Shadow Explorer".  Freeware.  So I downloaded it and gave it a shot.

And it recovered EVERYTHING (of course you do have to have System Restore turned on).  Nice little utility that I have added to my Batcomputer Utility belt!  It saved that Church's files, and is great!  I know many do not like System Restore (I have yet to have good experience with it doing anything for the "system"), but with Windows Vista and beyond, it has a nice side job that can be a real life saver.  With Shadow Explorer!

18 Replies
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
June 14, 2014 9:23:53 AM from WinCustomize Forums WinCustomize Forums

That's insane! Five hundred bucks would put me in a hole impossible to crawl out of. Fortunately I have nothing worth stealing. Good thing you're on top of it. 

Reason for Karma (Optional)
Successfully updated karma reason!
June 14, 2014 10:25:18 AM from WinCustomize Forums WinCustomize Forums

but contained Cryptowall, a variant of the Cryptodefender trojan

Yep...not the only one: http://drjbhl.joeuser.com/article/453357/New_virus_CryptoDefender_is_worse_than_CryptoLocker_UPDATE

What I found surprised me (ok, so I am not keeping up with what Microsoft is doing).  Microsoft had ported Shadow Copy to Windows Vista (and beyond)! 

So glad Cryptowall didn't encode the shadow copy MS makes. You'd best enlarge the size of your allowable shadow storage or if reinfection occurs, you might not be able to recover the newer data. 

 

Reason for Karma (Optional)
Successfully updated karma reason!
June 14, 2014 11:44:50 AM from WinCustomize Forums WinCustomize Forums

Thanks for the alert Dr. Shared on SM.

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
June 14, 2014 11:56:37 AM from WinCustomize Forums WinCustomize Forums

I've had a few 'shipping notices' lately....but been binning them and adding each sender to blocked/spam list...

Reason for Karma (Optional)
Successfully updated karma reason!
June 14, 2014 12:49:15 PM from WinCustomize Forums WinCustomize Forums

Quoting bgartlover,

Thanks for the alert Dr. Shared on SM.

Sorry for my ignorance, bgartlover...but what's SM? Skype Messenger?

Reason for Karma (Optional)
Successfully updated karma reason!
June 17, 2014 1:31:27 AM from WinCustomize Forums WinCustomize Forums

Quoting Jafo,

I've had a few 'shipping notices' lately....but been binning them and adding each sender to blocked/spam list...

I had a couple also... and responded the same way.  Anything like that is binned immediately, especially if I'm not expecting it or do not recognise the sender.  Even when I am expecting a delivery from an online purchase, I go directly to the shipping company's website and I'll type in my ticket number manually to avoid such issues..  Fortunately, the companies I do business with use either Australia Post or Couriers Please [which I have bookmarked for my convenience] so I'm not hunting all over the net for shipping advice, etc.

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:20:49 PM from JoeUser Forums JoeUser Forums

Quoting Uvah,
Fortunately I have nothing worth stealing.

You would be surprised what you can amass in data.  it really is a good idea to use cloud storage for at least your old tax returns,  emails, pictures, etc. 

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:22:31 PM from JoeUser Forums JoeUser Forums

Quoting DrJBHL,
You'd best enlarge the size of your allowable shadow storage or if reinfection occurs, you might not be able to recover the newer data.

That is what I am doing.  With hard drive sizes being ridiculously large, only people storing high def video need even a fraction of it.

 

Sorry I missed your early column.  Or maybe not.  I might have despaired if I had read that first!

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:23:50 PM from JoeUser Forums JoeUser Forums

Quoting Jafo,
I've had a few 'shipping notices' lately

I have been getting a lot of court notices (not too many shipping ones).  I guess it is the area you live in which tact they try.

 

But I know (since my wife is in the profession) that no court in the land is going to send you a notice in email!

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:24:48 PM from JoeUser Forums JoeUser Forums

Quoting DrJBHL,
Sorry for my ignorance, bgartlover...but what's SM? Skype Messenger?

I am with the Doc.  I am unfamiliar with the abbreviation.

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:25:45 PM from JoeUser Forums JoeUser Forums

Quoting starkers,
Even when I am expecting a delivery from an online purchase, I go directly to the shipping company's website

 

So do I - even when I know it is (or think it is) legitimate.  The website is going to be more up to date in any event.

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 9:03:01 PM from WinCustomize Forums WinCustomize Forums

Quoting Dr Guy,


Quoting Uvah, reply 1 Fortunately I have nothing worth stealing.

You would be surprised what you can amass in data.  it really is a good idea to use cloud storage for at least your old tax returns,  emails, pictures, etc. 

Dr Guy I hope you're joking.

NEVER put personal data especially with you Social Security number, taxes. etc. in the Cloud! Put it on an external drive with redundancy.

 

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 9:38:12 PM from JoeUser Forums JoeUser Forums

Quoting DrJBHL,
NEVER put personal data especially with you Social Security number, taxes. etc. in the Cloud! Put it on an external drive with redundancy.

Actually, I do have faith in the encryption of services like Mozy and Carbonite.  But no, I have not ventured there yet.  I do use an external drive, encrypted.

Besides, the NSA already has all my data.

Reason for Karma (Optional)
Successfully updated karma reason!
June 20, 2014 5:17:19 PM from WinCustomize Forums WinCustomize Forums

Did you hear the one about the cheap phone from China, preinstalled with spyware? Read about it the other day.

Reason for Karma (Optional)
Successfully updated karma reason!
June 20, 2014 9:29:55 PM from WinCustomize Forums WinCustomize Forums

Quoting Uvah,
Did you hear the one about the cheap phone from China, preinstalled with spyware? Read about it the other day.

Same here.... read it on Yahoo7, the cheeky bastards.

I've seen quite a few cheap phones from China but I've never been tempted to go for one, not even as a cheap second/backup phone.  When it comes to things like that, I prefer to stick with brand names and tech I know, and to date I haven't recognised one single brand name of those Chinese phones I've seen advertised.

Reason for Karma (Optional)
Successfully updated karma reason!
June 21, 2014 2:56:37 AM from WinCustomize Forums WinCustomize Forums

Mine is the new version of the Obama-phone. Kyocera is the manufacturer, made in Japan. When was the last time you saw anything made in Japan.

Reason for Karma (Optional)
Successfully updated karma reason!
June 23, 2014 12:16:22 PM from Elemental Forums Elemental Forums

Quoting Uvah,

... When was the last time you saw anything made in Japan.

 

The transistor radio I used when in grammar school.  

Reason for Karma (Optional)
Successfully updated karma reason!
June 23, 2014 3:28:33 PM from JoeUser Forums JoeUser Forums

Quoting ElanaAhova,
in grammar school.

Mine was middle (Jr High) school.  I guess that makes me older than you.

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108432  walnut2   Server Load Time: 00:00:00.0000359   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2014 Stardock Corporation. All Rights Reserved.