Help please. Cryptowall 3.0 bit me.

[Dan Hintz]

You will have to get a new drive

I really wish people would stop suggesting this. It is completely unnecessary, not to mention wasteful.

[John Coloccia]

I really wish people would stop suggesting this. It is completely unnecessary, not to mention wasteful.

He doesn't have a full, recent backup. You get a new drive so that if the keys are ever recovered, he can completely unencrypt his drive and recover all of his data.

[Curt Harms]

The quality of EMail-based attacks has improved substantially.

Most ISP's should probably just block all EMail with an executable attached either directly, or as part of a compressed file.

That will be inconvenient for some people like me, but I can work around it. It will save less savvy users a lot of heartache.

I've met people that have lost their entire photo albums. Baby pictures, pictures of lost loved ones, all gone. Yes, they should have had a backup. Some of these people simply do not have the money to pay the ransom, even if they wanted to take the chance. Single mothers with deadbeat x's that have trouble paying rent, much less scraping together $400 to get their photos back.

This industry is very slow to adapt to these sorts of threats. Doesn't bode well for the future.

Some consumer education would go a long way toward lessening the impact of such attacks. Get people that rely on digital storage to believe that they WILL have a data loss event, it's a question of when and act accordingly. Easier said than done, I know. People don't have to back up their entire machine, just the bits and bytes that are hard or impossible to replace. Doesn't have to be a large $ solution. A high capacity flash drive or two and a freeware file syncing app would go a long way. I had a Windows 7 install that took up about 30 GB. The stuff that mattered was considerably less than 1 GB. (Nope, no pirated movies) The rest could be readily rebuilt.

[Phil Thien]

Once you have restored with your backup get a major virus package like Norton.

I receive as many as dozens of E-Mails with malware attached every day. Basically, if an E-Mail has an executable attached either directly or via compressed file, the mail servers I manage forward it to me.

And I take the attachment and upload it to virustotal.com. Virustotal.com scans the sample with 57 (fifty-seven!) different products.

I've been doing this for at least a couple of years now.

And what I've learned is, there is no reliable paid or free product that consistently detects zero day threats.

And this shouldn't be a surprise to anyone involved in IT security. Because the same site (virustotal.com) is likely used by hackers tweaking their latest variations. They make sure they change it enough to make it past virustotal.com, and then they release it via E-Mail.

So more importantly than installing some paid antivirus product is to be aware that nothing will save you from a zero-day threat. And, that they're nearly all zero-day threats (I hope it is obvious that nobody is going to spend time/effort pushing last years threats via spam or whatever).

[John Huds0n]

And I take the attachment and upload it to virustotal.com. Virustotal.com scans the sample with 57 (fifty-seven!) different products.

and then I double check VirusTotal with Jotti
http://virusscan.jotti.org/en

[Eric DeSilva]

Might be too late, but looks like Kapersky Labs may have a solution. http://www.engadget.com/2015/04/14/k...%28Engadget%29

[Frederick Skelly]

Might be too late, but looks like Kapersky Labs may have a solution. http://www.engadget.com/2015/04/14/k...%28Engadget%29

Thanks very much Eric. I'll go check this out. I aapreciate the help!
Fred

[Robert Greco]

Okay, Brand new to the site. I am a 30 year IT consultant who has recently been fighting Cryptowall 3.0 on several computer networks over the last couple of months. While I have read many of the threads on this subject, no ones story seems to be as severe as mine. I will try to be brief. The first couple of times I ran into this virus a quick system restore to factory defaults solved the problem. However, recently that is not enough. The virus that brings Cryptowall in has moved to the BIOS. You cannot just re-flash the BIOS and low level format the hard drives to get rid of it. You MUST cold flash the BIOS. For those who do not know that requires removing the BIOS chip from the motherboard and flashing it outside the computer. The reason is, once in the BIOS, when you boot the computer it moves into RAM and reinfects the drive. Then before you turn the computer off it re-writes itself to the BIOS. A very nasty yet clever feat indeed. Also, if you are lucky enough to shut everything down before Cryptowall has encrypted all you data, it is still infected with one of several different kinds of viruses. Overall, the time it takes to cold flash all networked computer and server BIOS', (we just buy drives, no time to low level the old ones), and restore all apps and clean the data takes about a week for a 4 -8 users network and costs the customer hundreds of hours of labor. Has anyone else ran into this extreme a variant?

[Curt Harms]

Re Robert's problem, from what I've read, UEFI may not be an improvement on the malware front. I read a proposal on a computer site sorta like Sawmill Creek. A poster suggested some sort of separate flash drive for BIOS rather than the drive partition that UEFI uses. Then have an old fashioned mechanical switch to isolate the write function on that flash UEFI partition. The user must move that switch to enable writes to that device. Then have a placard near the switch saying don't move this unless you have a very good reason to do so. Fake or anonymous emails or texts do not constitute a very good reason. It wouldn't be perfect - some people would still leave write enabled for convenience. But then they'd have nobody to blame but themselves. People or businesses tasked with recovering systems with problems caused by leaving the write switch enabled could charge a "stupid premium" of say, 100%? in addition to the usual charge

[Dan Hintz]

You MUST cold flash the BIOS. For those who do not know that requires removing the BIOS chip from the motherboard and flashing it outside the computer.

Removing the BIOS chip on a modern computer is typically not a DIY job for the home hobbyist. The EEPROMs are almost always soldered directly to the board these days, and with the 10-layer+ boards in production and high-pin-density packages (not even talking about BGAs), this is not an item the DIYer can remove with a Radio Shack soldering gun.

Luckily, the viruses that attack at the BIOS level are few and far between in the wild... the vast majority here will go their entire lives without having encountered one.

[Chuck Wintle]

Removing the BIOS chip on a modern computer is typically not a DIY job for the home hobbyist. The EEPROMs are almost always soldered directly to the board these days, and with the 10-layer+ boards in production and high-pin-density packages (not even talking about BGAs), this is not an item the DIYer can remove with a Radio Shack soldering gun.

Luckily, the viruses that attack at the BIOS level are few and far between in the wild... the vast majority here will go their entire lives without having encountered one.

correct me if i am wrong but if the board eeprom was reflashed by someone that knows how would this same board then be ok?

[Dan Hintz]

correct me if i am wrong but if the board eeprom was reflashed by someone that knows how would this same board then be ok?

If they're able to do a low-level write of the entire Flash, then yes, it would be okay. If you're counting on the OS (or UEFI) to handle the write, however, there's a large chance the malware will retain control afterwards since it retains control of the re-flash process. You really need someone who can attach directly to the programming lines of the chip and do it direct so nothing in the Flash can take control of the process.