Windows 10: Recover encrypted files by virus

Hello people.

A friend of mine brought his computer to me to see if I am able to clear an encrypted mess done by a virus. Is it possible to recover that encrypted data? I know it may be almost impossible due to the lack of private key but I have an app called rannohdecrypter (made by Kaspersky Labs I think) that it's able to decrypt files provided you have got any file in both encrypted/unencrypted form.

Any other ideas on how to proceed?

:)

 

.cerber3 ransomware attack my files please help me with out paying to ransomware

hi

my files are converted as a extension of .cerber3 which is a encrypted virus and it has attack my files

please help me to decrypt this extension without paying a money to ransomware please help me to recover my files by decryption

thank you

 

Getting file permission error when try access images on Windows 10

Seems as though you may have encrypted those files/folders at some point, perhaps inadvertently, or may have been done by a virus. If that is the case there is slim hope of recovering them without the original encryption key. There is some software you
can try to recover the files with though. It isn't cheap but there is a trial version you could test on your files.

Advanced EFS Data Recovery | Elcomsoft Co.Ltd.

There may be more options out there but here are some links for decrypting files that were encrypted by virus:

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ



Cryptolocker Virus Removal: How To Decrypt or Restore Encrypted Files And Remove Ransomware Malware For Free [VIDEO]

Good luck.

 

Depends on the variant, some of the locker viruses can be undone, others not so easily or at all. There are some keys published online for certain variants of locker viruses. Have a look here & doing a Google search on the type of locker virus may yield some results or databases with decryption keys.

Best to verify that the decrypter you are going to use is indeed made to handle that particular infection.

Locker Ransomware Information Guide and FAQ

 

The virus is Cryptowall v3.0

I have recovered some files by digging in the filestructure. I have now some files both encrypted and decrypted. I wish there was some sort of decrypter ( la Rannohdecrypter made by Kaspersky) that would allow to decrypt your files by providing an encrypted/decrypted pair.

I will take a look at the link you posted. Thanks.

Any more help would be greatly appreciated.

 

Hopefully this will aid in the decryption of the files. I wish you luck.

CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

Recovering Files Infected By CryptoLocker Or CryptoWall - Code42 Support

You might want to mention to your friend the benefits of having a system image in case this happens down the road. Keep it on a USB/HDD that is not connected to the PC/Lappy at all times. Keep several previous copies in case he inadvertently makes one with a virus. I know it doesn't help now, but in case it happens again, it can be a lifesaver for personal data.

System Image - Create in Windows 10 - Windows 10 Forums

 

Thanks. This shit is getting nastier every version released. v4.0 now even encrypts filenames.

It looks grim for this computer but tomorrow I am doing a full partition backup, remove any traces of virus, and give lockerunlocker a try.

I am having extra trouble because the pc is quite old (P4 2003) and it's running WinXP. There are also at least five different partitions among two physical hard drives and it's all quite messy to be honest.

 

Oh, bad situation. So sorry about this.
It's my understanding that the Cryptowall virus makes a copy of the file, encrypts it, then deletes the original. You may be able to get some of the files back using recovery software. However, the more you use the computer, the less likely you are to recover any files. I would remove the drive, hook it up on a USB adapter and run a recovery program (or two) on it after you make a copy of that partition. Oh, and I would recommend making a Macrium Reflect Clone, using Forensic Sector Copy, which will copy everything - even the stuff that's been deleted and is invisible to the system. Then you will have access to anything that is recoverable using a recovery program, saved as well. @Borg 386 gave you some very good links there. The guys at Bleeping Computer are your best bet for help with this. Good luck - you're gonna need it!

 

Yes. I have been able to recover some folders with photos using this method. In the end I have just repartitioned and reformatted it. It was really a mess, and Cryptowall wasn't the only infection present.

Thanks for all the pointers guys.

 

Did the rannohdecrypter work then?

I guess they would be a bit dumb to encrypt everything the same way...

 

Glad you got some of it back. Yeah, sounds like a mess. Don't ya love it *Tongue

I love when someone gives me a lappy & asks if I can fix it, I bring it home, fire it up & all I see is a black screen with a blinking cursor. Don't laugh, it's happened a few times *Mad*Rolleyes

 

No. There isn't any decryptor currently available for CrytoWall (Cryptodefense) virus. I tried several of them but they all threw some error messages at me.

 

Update:
The CryptoWall v4 is sneaky now, in that, after deleting the original file, it puts the new, encrypted file in the exact sector where the original was deleted. This makes it very difficult to recover the original deleted file.

Interestingly, there appear to be certain regions where it does not wish to attack, and if it detects these languages, it will not infect the computer: Russian, Kazakh, Ukrainian, Uzbek, Belarusian, Azeri, Armenian, Kyrgyz, Georgian.

It is also using drive-by-download techniques and the Angler Exploit Kit, which means that you can be infected simply by visiting an infected website; malicious code is executed via hidden iFrame(s) after identifying unpatched programs/browsers/add-ons, and injected into svchost.exe, bypassing the UAC when deleting all Shadow Copies if you are using an account with administrative privileges, and thus tricking many AVs in the process.

ref: Security Alert: Angler Exploit Kit Spreads CryptoWall 4.0 via New Drive-By Campaign - Heimdal Security Blog

ref: Cisco Talos Blog: Threat Spotlight: CryptoWall 4 - The Evolution Continues

 

Thanks for the info simrick.

 

*Thumbs