CRYPTOWALL 3.0

[george759]

Here is my problem.
In the beginning of Nov 11, 2015, my motebook got somehow infected ( although I am very careful and I had installed an antivirus) form the CRYPTOWALL 3.0 Ransomware.
The ' funny ' thing was, that at that time, since I did not know that I was hit by this virus, I made a copy of some xlsx and accb files - that I used to work on them for over 4 years - to a usb stick as a backup. Unfortunately I backed up the infected files.
The notebook was eventually reformated. but the things I want to know is, if I can do anything with the usb stick - which I keep in tact -., in order to retrieve these files.
Is it dangerous if these usb stick files are transferred somewhere else ?
What about if these are written to a CD ?
There are some companies listed in the internet as Data Recovery Company. Do you beleive it is a lost cause ?
Thanks for your help and your assistance

[RichTech]

(08-30-2016, 09:46 PM)george759 Wrote:  Here is my problem.
In the beginning of Nov 11, 2015, my motebook got somehow infected ( although I am very careful and I had installed an antivirus) form the CRYPTOWALL 3.0 Ransomware.
The ' funny ' thing was, that at that time, since I did not know that I was hit by this virus, I made a copy of some xlsx and accb files - that I used to work on them for over 4 years - to a usb stick as a backup. Unfortunately I backed up the infected files.
The notebook was eventually reformated. but the things I want to know is, if I can do anything with the usb stick - which I keep in tact -., in order to retrieve these files.
Is it dangerous if these usb stick files are transferred somewhere else ?
What about if these are written to a CD ?
There are some companies listed in the internet as Data Recovery Company. Do you beleive it is a lost cause ?
Thanks for your help and your assistance

Hi george759, thanks for contacting the forum!

It might be possible to recover your files, using EaseUS Data Recovery Wizard https://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm or Recuva https://www.piriform.com/recuva. Perform a deep scan ( This can take a long time, depending on the size of the drive, i.e how many Gigabytes). If you have found the files, recover and save them to a different location, i.e the main hard drive, external hard drive. Not the same drive, from which you are recovering from.

Then for the safety of your computer and any other devices you have, I suggest you wipe your USB and start from fresh.
To do this you will need to access the command prompt (CMD), please refer to the snapshots:

Windows 7:
Click Start button and then type cmd in the search box and then right click cmd and hit Run as Administrator

  1.PNG (Size: 33.54 KB / Downloads: 235)

Windows 8 & 10 Users:
Right click Start button and then click Command Prompt (Admin) from the menu.

  2.PNG (Size: 6.36 KB / Downloads: 238)

Once the black cmd window appears, type the following commands and press enter on your keyboard:
diskpart
list disk (at this stage look under size for how much gigabytes your USB comes with and then look left for which disk it is pointing to)
select disk number ( the number of your USB)
clean all (please note this will take some time depending on the size of the USB), this will clean out all the sectors, (so make sure you have recovered and backed up your data before hand)
create partition primary
format fs=fat32 quick or format fs=ntfs, if fat32 comes up with a error, use NTFS
assign
exit

It is dangerous if these USB files are transferred to another location because it could infect the location

hope this helps you out

Thanks

REC560

[Partha]

Ransomware like CryptoWall is an executable which means either the user has to execute it or if there's an autorun.inf file on the disk, it would let the ransomware run automatically once the disk is accessed

Unless the ransomware is executed, it cannot cause any harm and so with that in mind, you would first have to find a means to disable the autorun feature to avoid the risk of its automatic execution

There is a program called Panda USB Vaccine that disables autorun from all the drives if you click "Vaccinate Computer", and it can be downloaded from https://www.pandasecurity.com/india/homeusers/downloads/usbvaccine/

Once autorun is disabled, you can then insert the USB stick and run a deep scan on the disk with Zemana AntiMalware Free

To download it, visit https://www.zemana.com/AntiMalware, press the Ctrl and F keys together and type "free download" into the search box

Click the button that says FREE DOWNLOAD to download the software, install it and let it update, and then run a deep scan

If the ransomware or any other malware are present on the disk, the deep scan should detect them

[Britec]

Are these files you want to recover on the USB drive encrypted? 

CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

[george759]

(08-31-2016, 09:45 PM)Britec Wrote:  Are these files you want to recover on the USB drive encrypted? 

CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

I want to be honest.
Up to now i haven' t try to manipulate with USB stick. The only thing I tried to do, is to write the whole directory in question to a CD. Last time I checked the USB was about 8-9 months ago.
I would like to apologize about my ignorance regarding infected files or non-infected files, but dealing with viruses is a very weak point of mine. Sorry to say I am very scared. At first I don' t want to be infected again, and second the work done is so very precious to me and consequently I do not tempt to play around with these USB files as I am scared to destroy them ( in case there is a slight chance, they will be recovered).
Sorry if I show to be a beginner with computers, but I am not. I Only lack of knowledge regarding viruses.

I just inserted the Usb stick, and the things I found are the following:
Moving the mouse over the directory name, it previews the content of the directory showing among others an ' autorun.inf ' file. Also in the USB Properties, it shows 41.6 MB and that it has also 84 files and 8 directories.
I did not dare enter this directory ( named 'AMADEUS').

Any chances according to @Partha 's post ??

Please tell me how I can help you helping me.
Many Many thanks.

[Partha]

I can understand but if you do as I said, there shouldn't be any problems. Just install the Panda USB vaccine and click Vaccinate Computer

Once that's done, insert the USB stick and run a deep scan with Zemana AntiMalware Free like I asked you to

[george759]

(09-01-2016, 06:17 AM)Partha Wrote:  I can understand but if you do as I said, there shouldn't be any problems. Just install the Panda USB vaccine and click Vaccinate Computer

Once that's done, insert the USB stick and run a deep scan with Zemana AntiMalware Free like I asked you to

Very kind of you to deal with my problem.
Your point of you looks very logical and besides what I now believe is that, the only chance I have to salvage my files is only if this autorun.inf file has not been executed. In all other cases, I think everything looks gloomy.

Many thanks again

[Partha]

(09-01-2016, 06:32 AM)george759 Wrote:  Very kind of you to deal with my problem.
Your point of you looks very logical and besides what I know believe is that, the only chance I have to salvage my files is only if this autorun.inf file has not been executed. In all other cases, I think everything looks gloomy.

Many thanks again

Thank you for the kind words. Please understand that the autorun.inf file is not an executable but, it can cause other executable files to run automatically, and that can be a point of concern

If Windows finds autorun.inf on the USB drive, any executable file with the extension ".exe" on the USB drive would get executed automatically, and that is what we don't want

CryptoWall is an executable and so it is important that the autorun feature is disabled temporarily, to avoid the risks of letting CrytoWall run automatically

[Britec]

Like Partha said, you just went and plugged in your USB drive without using a protection for that USB drive, if you had a virus or malware like autorun on there, it would of already run, that's why partha said install Panda USB vaccine, this will protect your computer from autorun type malware.

[Partha]

(09-01-2016, 10:46 AM)Britec Wrote:  Like Partha said, you just went and plugged in your USB drive without using a protection for that USB drive, if you had a virus or malware like autorun on there, it would of already run, that's why partha said install Panda USB vaccine, this will protect your computer from autorun type malware.

Thanks, Brian. I wanted to point that out as well. He did take a risk there