Windows 10: Cryptowall Ransomware

When I use sfc /scannow, windows protection control reveals that it found corrupt files and repaired them. The cbs.log indicates the RecoveryDrive.Ink was repaired.

After that sfc and even DISM indicate everything is fine.

When I scan using

Defender

AVAST

Hitmanpro

Malwarebytes

All return clean and protected computer windows 10 64 1909

However when I use spyhunter i get the message threat detected and the culprit is RecoveryDrive.Ink in the windows administrator folder under start menu. It is identified as cryptowall ransomware.

My windows ISO was from the MS website and this has flummoxed me. Any advice

:)

 

CryptoWall 4.0 ransomware infection

- What anti-virus (AV) program or security suite providing real-time protection (RTP) is installed?

- Any detection (name of detected malware) registered (most likely 'after-the-fact'
[data encryption], unfortunately) in History? And what action was taken?

HELP_YOUR_FILES.PNG, also HELP_YOUR_FILES.HTML and HELP_YOUR_FILES.TXT, are the names of the 'ransom notes' used by the most recent and current version of the
CryptoWall 4.0 ransomware.

These ransom notes files should be located in every folder that a file was encrypted, as well as in the users Startup folder so that they are automatically displayed when a user logs in. Please post here a screenshot of same (if any is still there). If you
can't find any, they probably were already removed by your AV program.

See:
CryptoWall 4.0 released with new Features such as Encrypted File Names

CryptoWall 4.0 will encrypt the actual filename of an encrypted file as well as the data contained in it. The name of each file is changed into a random string of characters (for example: rhn321.1oak, 72lcvn.iv6nn, x83o8x.ux7, etc..), while
the original name of the file is written inside it. The entire file gets encrypted. This makes recognizing the files almost impossible, much to the frustration of users.

CryptoWall ransomware encrypts data using strong
RSA encryption, and the free
decryption of your files is impossible at present time, since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom (NOT recommended!). So no free solution (yet) is available at present
time.

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. The more people pay the ransom, the more the attackers are encouraged to
keep creating ransomware for financial gain.

In addition, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files. Remember that you are dealing with cybercriminals.

A repository of all current knowledge regarding CryptoWall (all versions) is provided by Lawrence Abrams (AKA

Grinler) in this BC's topic:
CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ.

Reading this Guide will help you understand what CryptoWall 4.0 does and provide information for how to deal with it.

There is also an ongoing
CryptoWall 4.0: Help_Your_Files Ransomware Support & Discussion Topic where you can ask questions and seek further assistance.

As with most ransomware infections the best solution for dealing with encrypted data is to
restore from backups. Please note that CryptoWall typically deletes all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files via System Restore or using a program like Shadow Explorer... but it never hurts to try, so
as to check if the ransomware failed to do what it's supposed to do.

If you have unsuccessfully tried the
methods outlined in the
guide above to restore your files, or couldn't restore them all, I would suggest you back them up on an external storage media (like an external HDD) and leave it be. Maybe a free solution is found (maybe not) in the near future... who knows!

A free tool created by BC called 'ListCwall', shall prove to be of assistance for you to automate the finding and exporting
the list of encrypted files from an infected computer. This tool will also allow you to backup the encrypted files to another location in the event that you want to archive the encrypted files and reformat the machine.

Regret we can not be of much help this time. Good Luck!

=========================================================

You can also help spread the word so that others may contribute to:

Help BleepingComputer Defend Freedom of Speech!

=========================================================

 

.DOCM Ransomware

Some more helpful links....

• ID Ransomware
• https://support.emsisoft.com/topic/29386-first-steps-when-dealing-with-ransomware/
• How to remove ransomware the right way: A step-by-step guide (Updated for 2019) | Emsisoft | Security Blog
  

 

CryptoWall 4.0 ransomware infection

Suggest you contact your IT consultant. For further information see the following:

http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/how-crypto-ransomware-spreads-is-it/50b629d8-060c-4004-a1e9-d99571062773

Regards...