Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

to add to the above in my hunting around I am seeing an unusual registry key when I expand the hkey_current_user/software

 

{b2cb09ff-2453-4f85-9F40-21C05BE4CBA8}

with another key just under it with 67CD7F79024E40832CD96772690BA4

 

Interestingly when I click on the second one which has a + in front of it,it expands and then clicking on the info under it  the registry freezes.

 

Does this ring a bell with anyone  ?

Hi casey 145, just checking the boxes, but have you read through and worked through all the processes included in this topic here?

 

It is the source for the screenshots Grinler posted at the beginning of this topic.

 

Sorry I can't help further as I am only using Linux.

 

Good luck

 

Okay, my next question is, what does this infection look like BEFORE it is launched and parents itself on a system?  I've read from malware site that they can eliminate it, (but not decrypt your files) and only after it infects a machine.  What does this look like BEFORE it is launched and what anti virus catches it... eg. what can scan this as a 'bad pdf' and recognize the threat?

We all know what it looks like AFTER it's hit, leaving the three main files in every encryped directory.  What program will catch this sucker before it launches?

Sorry I can't answer Netflyer165's question (yet), but this may be of some assistance to Australian members, I have not seen it elsewhere:

 

 

In September 2014, another CryptoLocker clone, along with a similar worm named "CryptoWall", began spreading in Australia; the ransomware uses infected e-mails, purportedly sent by Australia Post to indicate a failed parcel delivery, as a payload. To evade detection by automatic e-mail scanners, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded. Symantec determined that these new variants, which it identified as "CryptoLocker.F", were again, unrelated to the original CryptoLocker due to differences in their operation.^{[18][19][20][21]}

 

This is a small part of a Wikipedia article found here.

 

Okay, my next question is, what does this infection look like BEFORE it is launched and parents itself on a system?  I've read from malware site that they can eliminate it, (but not decrypt your files) and only after it infects a machine.  What does this look like BEFORE it is launched and what anti virus catches it... eg. what can scan this as a 'bad pdf' and recognize the threat?
We all know what it looks like AFTER it's hit, leaving the three main files in every encryped directory.  What program will catch this sucker before it launches?

They are typically emails that pretend to be from a business that people commonly work with. UPS, Fedex, Xerox, etc. They contain zips that pretend to be scans, business correspondences, tracking information, etc. Inside the zip files are files that have a PDF icon, but are actually executables with .exe, .scr, etc extensions. The file would be named something like shipping-confirmation.pdf.scr. As Windows does not show extensions by default, the file would just look like shipping-confirmation.pdf, so people assume its a PDF file. When you double-click on it to open it, it infects your computer and then deletes itself.

All mainstream antivirus programs will detect it. Unfortunately, these malware developers commonly change their executables so that they elude detection by an anti-virus software. This makes it so the AV companies are constantly playing a catchup game trying to make sure the latest versions are in the definitions. With that said, no AV is perfect and there is no one product that will always protect you from new threats.

Just finished decrypting the files on the one machine that got hit. Had to pay $750 1.9 bit coins. After converting the money, the bit coin value dropped and it was showing 2.1 bit coins, but they still accepted the payment of 1.9. After payment the personal TOR web site changes to payment confirmation, and a download link for decrypter.zip. Decrypting took about 20 minutes for the whole computer. It looks like they got in by sending mass emails, mentioning something like "ADP invoice week ending 14/10/2014" with an attached .zip file that contains an .exe . The user double clicked true the attachment without reading anything. CryptoWall 2.0 seems to start of slowly and invisibly. Once it has everything (.txt .jpg .xlsx .mdb) encrypted, it stops encrypting and starts asking for the ransom. It does not seem to damage windows, so the computer stays usable. I have copies of the original ransom-ware and the decrypter if anyone cares, but I doubt there is anything useful in the compiled code.

 

Measures taken after incident:

Disabled most incoming email attachments on company emails by file extension (.zip .rar and few other, set to quarantine just in case legit emails get blocked).

Changed anti-virus to Avast with email scan engine.

Changed group policy to not allow code execution from most locations that crypto-ransom software likes to start in (example, temp folder) using CryptoPrevent free software made by foolibleep(set to Maximum).

Enabled remote user file backup (weekly full backups, with incremental daily, and 2 week retention)(Symantec Backup Exec 2012 sp3). 

...please comment if there is something more that can be done in this domain, windows 7 environment. 

Just finished decrypting the files on the one machine that got hit. Had to pay $750 1.9 bit coins. After converting the money, the bit coin value dropped and it was showing 2.1 bit coins, but they still accepted the payment of 1.9. After payment the personal TOR web site changes to payment confirmation, and a download link for decrypter.zip. Decrypting took about 20 minutes for the whole computer. It looks like they got in by sending mass emails, mentioning something like "ADP invoice week ending 14/10/2014" with an attached .zip file that contains an .exe . The user double clicked true the attachment without reading anything. CryptoWall 2.0 seems to start of slowly and invisibly. Once it has everything (.txt .jpg .xlsx .mdb) encrypted, it stops encrypting and starts asking for the ransom. It does not seem to damage windows, so the computer stays usable. I have copies of the original ransom-ware and the decrypter if anyone cares, but I doubt there is anything useful in the compiled code.

 

Measures taken after incident:

Disabled most incoming email attachments on company emails by file extension (.zip .rar and few other, set to quarantine just in case legit emails get blocked).

Changed anti-virus to Avast with email scan engine.

Changed group policy to not allow code execution from most locations that crypto-ransom software likes to start in (example, temp folder) using CryptoPrevent free software made by foolibleep(set to Maximum).

Enabled remote user file backup (weekly full backups, with incremental daily, and 2 week retention)(Symantec Backup Exec 2012 sp3). 

...please comment if there is something more that can be done in this domain, windows 7 environment. 

I think you have done all the right things.  I wrestled with the idea of paying the ransom but I had enough of a backup and I was worried that would just be the beginning, if I negotiated with the bad guys they would own me after that...

I would use Maleware Antibytes instead of Avast... just my two cents...  Microsoft Security essentials and Maleware Antibytes... My users still dont' pay attention and click through warnings, no matter what I choose...

It seems if you block .exe's and such that it won't matter cause these files are .exe.scr  they use fake extensions to fool the users.  I think the Policy you put in place will do very well to prevent future attacks, even if the bug is still on a machine...

As for the decrypt key, this new version of the bug is personal and the decrypt is Per user, it encrypts based on YOUR machine with your IP in the encryption... from what I can see, it's totally unique to each infected party.  This is the worst bug, I'm worried it hits something way more important to society than our pics...

Edited by Netflyer165, 20 October 2014 - 07:27 PM.

So I got hit with this last week and have been messing around with idea's on how to decrypt my files. Today I noticed at the top of the payment webpage, there is a link to decrypt one file for free.

 

 

 

I am no expert at all but can this be used in any way to decrypt the rest of my files? I have not used it yet and I still have 44~ hours till the timer expires.

No, you can't use that for the rest of your files.  I tried ...  I didn't pay the ransom though because what's to say they don't hit you again?  

 

Showing us one file is like showing us the finger of the kidnapped victim.  It is diabolical and I can't believe can't be found and shut down.  They have a HELP DESK... I mean come on...

Now this bug has made it to Network TV and I'm appalled.   The Good Wife featured this bug last night on their show and frankly that gives notoriety and encouragement to the bad guys, don'tcha think?  Also it makes the good guys really feel like they have failed at their jobs... Never glorify, even in a negative manner, something like this!  OMG!

Just finished decrypting the files on the one machine that got hit. Had to pay $750 1.9 bit coins. After converting the money, the bit coin value dropped and it was showing 2.1 bit coins, but they still accepted the payment of 1.9. After payment the personal TOR web site changes to payment confirmation, and a download link for decrypter.zip. Decrypting took about 20 minutes for the whole computer. It looks like they got in by sending mass emails, mentioning something like "ADP invoice week ending 14/10/2014" with an attached .zip file that contains an .exe . The user double clicked true the attachment without reading anything. CryptoWall 2.0 seems to start of slowly and invisibly. Once it has everything (.txt .jpg .xlsx .mdb) encrypted, it stops encrypting and starts asking for the ransom. It does not seem to damage windows, so the computer stays usable. I have copies of the original ransom-ware and the decrypter if anyone cares, but I doubt there is anything useful in the compiled code.

 

Measures taken after incident:

Disabled most incoming email attachments on company emails by file extension (.zip .rar and few other, set to quarantine just in case legit emails get blocked).

Changed anti-virus to Avast with email scan engine.

Changed group policy to not allow code execution from most locations that crypto-ransom software likes to start in (example, temp folder) using CryptoPrevent free software made by foolibleep(set to Maximum).

Enabled remote user file backup (weekly full backups, with incremental daily, and 2 week retention)(Symantec Backup Exec 2012 sp3). 

...please comment if there is something more that can be done in this domain, windows 7 environment. 

so can the download purchased be shared to decrypt others files?

I'm researching the use of bitcoin in cyber crimes as part of my master's degree research.  If you're willing, would you mind messaging me the bitcoin address they're asking you to pay to or the tor html link (ex: https://paytordmbdekmizq.tor4pay.com/gLsmm) that they want to you pay at?  I'd greatly appreciate it.  Gathering bitcoin addresses helps me create a signature to use.  Thanks!

Edited by crypt_research, 21 October 2014 - 08:42 PM.

 

Just finished decrypting the files on the one machine that got hit. Had to pay $750 1.9 bit coins. After converting the money, the bit coin value dropped and it was showing 2.1 bit coins, but they still accepted the payment of 1.9. After payment the personal TOR web site changes to payment confirmation, and a download link for decrypter.zip. Decrypting took about 20 minutes for the whole computer. It looks like they got in by sending mass emails, mentioning something like "ADP invoice week ending 14/10/2014" with an attached .zip file that contains an .exe . The user double clicked true the attachment without reading anything. CryptoWall 2.0 seems to start of slowly and invisibly. Once it has everything (.txt .jpg .xlsx .mdb) encrypted, it stops encrypting and starts asking for the ransom. It does not seem to damage windows, so the computer stays usable. I have copies of the original ransom-ware and the decrypter if anyone cares, but I doubt there is anything useful in the compiled code.

 

Measures taken after incident:

Disabled most incoming email attachments on company emails by file extension (.zip .rar and few other, set to quarantine just in case legit emails get blocked).

Changed anti-virus to Avast with email scan engine.

Changed group policy to not allow code execution from most locations that crypto-ransom software likes to start in (example, temp folder) using CryptoPrevent free software made by foolibleep(set to Maximum).

Enabled remote user file backup (weekly full backups, with incremental daily, and 2 week retention)(Symantec Backup Exec 2012 sp3). 

...please comment if there is something more that can be done in this domain, windows 7 environment. 

so can the download purchased be shared to decrypt others files?

 

The download includes the decryptor program and 2 files with keys. Those keys only fit the locks placed on our files. Each computer infected gets a unique identifier that is used to pay and received the decryptor.

Just fought with this on a server.  The good news is, if it is infected/encrypted from a work station, you can restore the data from a shadow volume.  Worked perfectly.  Now to find the workstation.

I came in to work this morning to discover that we are now having this problem with an external hard drive that we use to share files between work stations.  All of the common files on the drive are corrupted.  I cannot, however, find the computer that acted as the source of the malware.  Is it possible for this to have only infected the external drive without having impacted one of the computers?  Can someone tell me how I might be able to find the source computer?  Please assume that I know very little about computers if you try to help.  I am the default IT guy just because I am the only one under the age of 50, not because I actually know anything about computers.  Thanks.