After a brief hiatus malware developers release CryptoWall 3.0

Should not be any autostarts

Should not be any autostarts

 

Autostart entries have been removed, as has the file dropped within the Startup folder.

 

However, some odd things...  the CryptoWall 3.0 executable that resides on the machine, while it could be spoofed, has a Created and Access timestamp of "1/22/15 1:48pm".  There are several ransom notes that were dropped on 1/17/2015.  However, the registry key that is added by CryptoWall 3.0, containing ransom note text as well as the list of encrypted files were last modified on 1:48pm and 9:14pm respectively, both on 1/22/15.

 

The path of the executable with, what appears to be the CryptoWall 3.0 payload, is consistent with other CryptoWall infections...  C:\<random>\<random>.exe

 

Grinler, have you received a submission of a CryptoWall 3.0 binary yet?  If not, would you like me to submit it for review?

 

EDIT: I can also provide the sandbox analysis reports (WildFire, Joe Sandbox) if needed.

Edited by White Hat Mike, 03 February 2015 - 11:46 AM.

That's alright. Thanks for the offer.

Have a ton of em I used one when I wrote this article

That's alright. Thanks for the offer.

Have a ton of em I used one when I wrote this article

 

Alright, no worries.  Wasn't sure if there were many 3.0 binaries submitted yet.

 

I posted a summary of analysis in the other thread.  Your articles, as always, are very helpful and in-depth, but I do think some stuff can be slightly tweaked and/or added...  but hey, let's just focus on developing new methods of prevention.  

Edited by White Hat Mike, 03 February 2015 - 11:54 AM.

Um i might know a website but i think it will be risky too risky i think last year i was at school trying to download samples of viruses to test what it did against my pc

the website is vx-archiv.at and i dont think it has cryptolocker on it ill try search on my main pc right now first i need the virus signature like example: Trojan.XXXXXX.XX

Would anyone help?

AnyBody Got a Sample ive got an old one of my pc and i want to infect it and have a look at it

So is there way now to fix the virus i got it sadly and it ecrptyed all my photo music and some word documents im really sad and scared i ran 2 scans on my anti virus malwarebytes and eset scan they took off the virus i think because they found alot of bad things in my appdata temp and i deleted them and i think its off my pc now but all my things are ecrypted is there a way to fix it now pls help im scared idk why

So is there way now to fix the virus i got it sadly and it ecrptyed all my photo music and some word documents im really sad and scared i ran 2 scans on my anti virus malwarebytes and eset scan they took off the virus i think because they found alot of bad things in my appdata temp and i deleted them and i think its off my pc now but all my things are ecrypted is there a way to fix it now pls help im scared idk why

 

As has been said numerous times throughout this and many other threads, there is no method of decryption available for this ransomware aside from paying the ransom and hoping to receive a working decryption utility (although this is not recommended).

How do I turn off notifications of this topic that I posted to?

Nevermind, found the unfollow button.

When will the decrprtion come out im thinking of waiting or just restart my pc i barley got any photos and i barley have word documents like 5 or 10 and i have a back up photo but i dont want to restart because i play games and i have alot of games that i dont want to restart. idk what to do when can we expect a fix ty

No decrytor

Come on Nathan kick Butt!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I got CryptoWall 3.0, and I've been on the phone with several tech support guys over the last few days, and there's no luck in finding any usable shadow copies or backups of my data as even my external hard drive backup was decrypted because I left it plugged into my PC. I decided to just keep my encrypted data on a storage drive software and wiped my machine.

 

I'm still holding onto hope that a fix may one day be possible. Is the same team of law enforcement that took down the Gameover ZeuS botnet and CryptoLocker during Operation Tovar currently tracking down the perpetrators behind CryptoWall?

Unfortunately I have found myself at this site because I have been hit with CryptoWall 3.0. It looks like my infection is a little different though. The malicious file seems to be a .ini and it appears that it may have coincided with a crash of Iexplore. Has anyone herd of that? I am trying to make sure everything is removed before I reboot the computer. Any additional information on this type of infection would be appreciated.

Srry Mate no decryptor yet

Edited by RobertHD, 28 February 2015 - 10:11 PM.

Srry Mate no decryptor yet

Thanks, I am aware there is no decrypter available yet and may never be.
More intrested in providing files to those who may be able to use them to the good. I seem to have caught this trojan before it was finished and it seemed to have come through IE (possibly flash) rather than email. It looks like it was running from an .ini file, did not drop any startup links in 'run', 'runonce', nor 'startup' and the typical reg listing of the affected files seems to reside on the HDD. It seems like it hit Adobe and Silverlight before it started in on the encrypting files.