Windows WUT ? Un quacker encripto todo y ahora pide plata ? ( note afectado ) Cryptowall 3.0

Eliezar

Eliezar

mi gato :D
Se incorporó
1 Febrero 2007
Mensajes
4.795
Estimados

Me llego un equipo donde aparentemente todos los archivos esta corruptos. buceando por el sistema de archivos me encuentro con .txt llamado " HELP_DECRYPT"

al leerlo , tiene esto

Código: 
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.http://ayh2m57ruxjtwyd5.abctopayforwin.com/bN8UQ2
2.http://ayh2m57ruxjtwyd5.bcdthepaywayall.com/bN8UQ2
3.http://ayh2m57ruxjtwyd5.deballmoneypool.com/bN8UQ2
4.http://ayh2m57ruxjtwyd5.armnsoptionpay.com/bN8UQ2

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: ayh2m57ruxjtwyd5.onion/bN8UQ2
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: http://ayh2m57ruxjtwyd5.abctopayforwin.com/bN8UQ2
Your personal page (using TOR): ayh2m57ruxjtwyd5.onion/bN8UQ2
Your personal identification number (if you open the site (or TOR 's) directly): bN8UQ2

Segun eso , los archivos tan encriptados y que seguramente pedira pago en una pagina rancia , alguien le ha pasado esta gracia :xd jajaja
 
Sort by date Sort by votes
K3rnelpanic

K3rnelpanic

non serviam
Miembro del Equipo
MOD
Se incorporó
1 Octubre 2007
Mensajes
6.052
OKA-CAGASTE :risas
A pagar para que liberen los archivos secuestrados, confiando ciegamente en la buena voluntad del script-kiddie :yao
 
Upvote 0
Batou

Batou

%安全
Se incorporó
13 Julio 2008
Mensajes
497
Lo único que se me ocurre que puedes hacer es:

-Sacar un copia del disco entero.
-Montar la copia en modo de lectura.
-Aplicar soft para recuperar archivos borrados.

Saludos
 
Upvote 0
Rudel

Rudel

Overclockero retirado.
Se incorporó
28 Octubre 2004
Mensajes
8.727
Eliezar dijo:
no tenia ni el mas minimo conocimiento
Haz clic para expandir...

En el extranjero esta presente desde hace un par de años .. en su momento comenté el tema en el Foro viejo:

http://www.chw.net/foro/windows-y-p...ltima-moda-los-malware-tomar-rehen-al-pc.html

Este año vi un caso así en Antofagasta ... no hay nada que hacer, sólo recurrir a un respaldo ... y si no tiene, podría considerar pagar el rescate ... aunque nada garantiza que el secuestrador te vaya a dar realmente la clave para desencriptar la info.

Mala suerte ...
 
Upvote 0
Rudel

Rudel

Overclockero retirado.
Se incorporó
28 Octubre 2004
Mensajes
8.727
Batou dijo:
Lo único que se me ocurre que puedes hacer es:

-Sacar un copia del disco entero.
-Montar la copia en modo de lectura.
-Aplicar soft para recuperar archivos borrados.

Saludos
Haz clic para expandir...

Eso no funciona .. los archivos no están borrados, sino que es su contenido el que ha sido encriptado
 
Upvote 0
Batou

Batou

%安全
Se incorporó
13 Julio 2008
Mensajes
497
Rudel dijo:
Eso no funciona .. los archivos no están borrados, sino que es su contenido el que ha sido encriptado
Haz clic para expandir...

Cierto,, andaba medio volado xD!

Eso si recuerdo que lei o escuche alguna vez que habian unos ransomware que eran pura pantalla, es decir no cifraban realmente, solo cambiaban la ext xD!.

Edit: al parecer existen herramientas para descrifar los archivos, supongo que en los casos especiales (com el uso de una misma llave para cifrar, que supuestamente no es el caso)



In case of infection:
  • Remove the impacted system from the network
  • Attempt to identify which variant of ransomware you are infected with.
  • Before removing the threat, create a copy if possible for later analysis, which may be needed for decryption of files.
  • If possible, use restore points or backups to return to a safe state after removing the threat.
  • If you have identified the variant of ransomware and a decrypter tool is available for it in this kit, you can attempt to utilize it.

https://bitbucket.org/jadacyrus/ransomwareremovalkit


Saludos.
 
Upvote 0
wurrzag

wurrzag

Ciclista Jipi
Se incorporó
30 Mayo 2006
Mensajes
8.835
hay algunas utilerias y sitios que se ofrecen a desencriptar los archivos, por lo que recuerdo cuando lo leí, les subes un archivo para ver si tienen la llave.
 
Upvote 0
G

Gen1us

VCP
Se incorporó
16 Octubre 2012
Mensajes
1.358
STEP 1: Remove CryptoWall 3.0 virus with Malwarebytes Anti-Malware Free
Malwarebytes Anti-Malware Free uses industry-leading technology to detect and remove all traces of malware, including worms, Trojans, rootkits, rogues, dialers, spyware, and more.
It is important to note that Malwarebytes Anti-Malware works well and should run alongside antivirus software without conflicts.

  1. You can download download Malwarebytes Anti-Malware from the below link.
    MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This link will open a new web page from where you can download “Malwarebytes Anti-Malware Free”)
  2. Once downloaded, close all programs, then double-click on the icon on your desktop named “mbam-setup” to start the installation of Malwarebytes Anti-Malware.
    Malwarebytes-Setup.jpg

    UAC-prompt.jpg
    You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, you should click “Yes” to continue with the installation.
  3. When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizardwhich will guide you through the installation process.
    Malwarebytes-Installer.jpg

    To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.
    Malwarebytes-Final-Screen.jpg
  4. Once installed, Malwarebytes Anti-Malware will automatically start and you will see a message stating that you should update the program, and that a scan has never been run on your system. To start a system scan you can click on the “Scan Now” button.
    Malwarebytes-Scan.jpg
  5. Malwarebytes Anti-Malware will now start scanning your computer for the CryptoWall 3.0 virus. When Malwarebytes Anti-Malware is scanning it will look like the image below.
    Malwarebytes-Scanning-For-Malware.jpg
  6. When the scan has completed, you will now be presented with a screen showing you the malware infections that Malwarebytes Anti-Malware has detected. To remove the malicious programs that Malwarebytes Anti-malware has found, click on the “Remove Seletected” button.
    Malwarebytes-Removing-Malware.jpg

    Please note that the infections found may be different than what is shown in the image.
  7. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that it has found. When removing the files, Malwarebytes Anti-Malware may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot your computer, please allow it to do so.
    Malwarebytes-Restart-PC.jpg

    After your computer will restart, you should open Malwarebytes Anti-Malware and perform another “Threat Scan” scan to verify that there are no remaining threats
STEP 2: Double-check for the “CryptoWall 3.0” malware infection with HitmanPro
HitmanPro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti-virus software, firewalls, etc.). HitmanPro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer.

  1. You can download HitmanPro from the below link:
    HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download “HitmanPro”)
  2. Double-click on the file named “HitmanPro.exe” (for 32-bit versions of Windows) or “HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
    HitmanPro-Installer.jpg

    Click on the “Next” button, to install HitmanPro on your computer.
    HitmanPro-Start-Scan.jpg
  3. HitmanPro will now begin to scan your computer for CryptoWall 3.0 malicious files.
    HitmanPro-Scan.jpg
  4. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove CryptoWall 3.0 virus.
    HitmanPro-Scan-Results.jpg
  5. Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
    HitmanPro-Activate-Free-License.jpg
In some cases you may need to change your wallpaper, and delete the harmless Save_Files, DECRYTP_INSTRUCTIONS.txt and DECRYTP_INSTRUCTIONS.html files.
B. How (try) to restore your files encrypted by CryptoWall 3.0 ransomware
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files.

Option 1: Restore your files encrypted by CryptoWall 3.0 ransomware with ShadowExplorer
CryptoWall 3.0 will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method.

  1. You can download ShadowExplorer from the below link:
    SHADOW EXPLORER DOWNLOAD LINK (This link will open a new web page from where you can download “ShadowExplorer”)
  2. Once you have downloaded and installed ShadowExplorer, you can follow the below video guide on how to restore your files while using this program.
Alternatively, you can use the System Restore to try to recover the encrypted documents.

Option 2: Restore your files encrypted by CryptoWall 3.0 ransomware with File Recovery Software
When CryptoWall 3.0 encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as:

  • Recuva
    You can follow the below guide on how to use Recuva:
 
Upvote 0
dwyer

dwyer

Sonidista-Computin
Se incorporó
10 Mayo 2005
Mensajes
2.701
Yo me acuerdo que recuperé datos con el Shadow explorer, pero después tuve que reinstalar, el SO quedó muy para la cagá
Aunque creo que era el Crypolocker

Saludos
 
Upvote 0
galansinchance

galansinchance

enajenao
Se incorporó
3 Enero 2006
Mensajes
7.424
chucha, hasta ahora solo había escuchado de casos como este..

a aplicar desencriptación por fuerza bruta no más con GPU con la esperanza que en algún par de años logres dar con la llave..
 
Upvote 0
Eliezar

Eliezar

mi gato :D
Se incorporó
1 Febrero 2007
Mensajes
4.795
Esa challa del malwsrebyte no sirve

Si realmente estan encriptados no tienen nada q ver estos programas

Sent from my SCH-I545 using Tapatalk
 
Upvote 0
You must log in or register to reply here.
Subir