Oh Dear, just had someone contact us whom has CryptoWall. All their work files are encrypted.
Looks like a staff member opened an attachment through Hotmail.
This Symantec link eludes to a new variant. http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99
This particular infection looks different to the previous ones. Still digging through it to figure out what the deal is. We have recovered 99% of their data from backups and Volume Shadow Copy.
Here’s the file placed in various folders on thir server
BD995470B3904425B4FEAE109E797A49
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://kpai7ycr7jxqkilp.enter2tor.com/9R08
2.https://kpai7ycr7jxqkilp.tor2web.org/9R08
3.https://kpai7ycr7jxqkilp.onion.to/9R08
If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: kpai7ycr7jxqkilp.onion/9R08
4.Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal page: https://kpai7ycr7jxqkilp.enter2tor.com/9R08
Your personal page (using TOR): kpai7ycr7jxqkilp.onion/9R08
Your personal identification number (if you open the site (or TOR ‘s) directly): 9R08
#1 by mickyj on June 26, 2014 - 5:29 pm
Quote
A list of encrypted files is on the infected machine, within the registry. It is in HKEY_CURRENT_USER\Software\XXXXXXXXXXXXXXXXXX\cryptlist
The following three files popup on the infected machine once the encryption is done.
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.URL
They are on the desktop and all through the local systems hard drive, user profiles and the server mapped drives.
It encrypted the usual fles, Office documents, PDF files etc
#2 by mickyj on June 27, 2014 - 7:31 pm
Quote
This comes down in an email like
From: Bankline.Administrator@rbs.co.uk [Bankline.Administrator@rbs.co.uk]
Date: 26 June 2014
Subject: Outstanding invoice
Dear Cathy,
Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
http://figarofinefood.com/share/document-128_712.zip
I would be grateful if you could look into this matter and advise on an expected payment date .
Many thanks
Max Francis
Credit Control
Tel: 0845 300 2952
The file at http://figarofinefood.com/share/document-contains document-128_712.scr which is the virus.
Looks like once this virus is done, it remove’s itself and only leaves the decrypt instruction files behind.
#3 by mickyj on June 27, 2014 - 10:43 pm
Quote
Looks like this might have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. It may also be designed to specifically steal your facebook and other social network log in details.
#4 by mickyj on June 30, 2014 - 2:04 pm
Quote
Analysis of the file calles document-128_712.scr in the zip file https://www.virustotal.com/en-gb/file/ab89a375ba9a0ec6ddc875ddde7647c4d2a140b07233580b143e0ca9aaf581f5/analysis/
#5 by mickyj on June 30, 2014 - 2:07 pm
Quote
Analysis of the Zip file document-128_712.zip https://www.virustotal.com/en/file/d15fb5347bdadaef584d4c1183c7f6e13ec751aff46936b8398ba98aa7917405/analysis/
#6 by mickyj on June 30, 2014 - 2:09 pm
Quote
It seems that the document-128_712.scr file renames to a short exe with random file name and places itself into the startup group of the PC, The random name is a shortened version of the key in the registry where it stores all teh names of the files it encryptes. After the scr file is activated, it deletes itself. After the encrypting is done, the exe deletes itself.
#7 by mickyj on June 30, 2014 - 3:54 pm
Quote
Ok, so now I am going to download Cryptowall to a test machine running Process Monitor and Wireshark.
#8 by Vinny Troia on February 16, 2015 - 1:29 pm
Quote
Hey Micky – Trying to contact you. Can you please email me at the included email address? Thanks