Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[HOW_DECRYPT_FILES.HTA] Need some assistance with system image recovery
#1
Good Afternoon Everyone:

Well, I was the unfortunate receiver of what I think was a Cryptowall Ransomware variant.  I watch about 35 videos on youtube, each telling me that there are a few ways to get rid of the ransomware.  All it said was that I needed to pay $1,000 USD for the unlock code.  I figured that "heck, I just need to find out what I am dealing with and get the right tool"  WRONG - There was no indication of what it was, and worse than that, it must have activated while I was away, because when I got home, ALL FILES had been compromised..........I was advised to WIPE the drive all the way, and reinstall using my system image that I made on 3/29/18.

PROBLEM IS: While it SAYS that you can use a network connection to connect to a server share (running samba on Debian 8), each attempt says that the image cannot be found.  I can't simply back up the image on the same drive, so I have set up samba to back it up to my 8TB drive over the network, but I wonder why I cant restore this way - keeps erroring out, even with the right password - Is there a way to force it to find the image?

Even when I copied the image to a folder on the desktop, windows could NOT find the image - Should I move the image copy to the ROOT of the C: drive and command a system recovery?  Is there a way to go right into the recovery, or do we have to always go to "troubleshoot" - seems a LONG way 'round if you want windows to recover an image?

Any assistance you could provide me with would be beneficial, as without the image restored, I have bare bones capabilities right now.....

Thanks,

Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#2
Here is some info:

https://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information


https://noransom.kaspersky.com/

https://www.nomoreransom.org/en/index.html
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply

#3
(05-03-2018, 06:39 PM)Britec Wrote:  Here is some info:

https://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information


https://noransom.kaspersky.com/

https://www.nomoreransom.org/en/index.html

Britec:

Thank you for the information provided regarding Cryptowall - I was told that whatever this is was a variant, but I am not sure it was cryptowall.

Now, I HAD installed Windows 10 Pro to my system again, and it was working fine, but NOW all I get is a constant reboot loop, and it will boot up, show me the Dell Logo, and then just go black and reboot - I cant seem to get to a recovery environment, and when I try to reinstall windows 10 to get it moving again, it says that I am missing a critical driver, and that I need to install it before I can continue.

Add to that, that the system cant even FIND my backup System Image, and you can see why I am stymied - I HAD at least a working Windows Install, but now, I cant even access the windows Install that worked 2 days ago - any ideas on how to fix BOTH issues??

Thanks,

Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#4
I have made videos on installing windows 10. Check out my Youtube channel 
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply

#5
(05-06-2018, 11:24 AM)Britec Wrote:  I have made videos on installing windows 10. Check out my Youtube channel 

Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??

Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#6
(05-06-2018, 02:00 PM)baker7 Wrote:  
(05-06-2018, 11:24 AM)Britec Wrote:  I have made videos on installing windows 10. Check out my Youtube channel 

Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??

Brian B.

*Power off the machine

*Insert Windows 10 usb drive created with media creation tool

*When powering on hit f12 or esc to bring up boot device options

*Boot to the usb drive

From there you can access system repair options and/or Install Windows.

If all of your data is encrypted why are you trying to create an image?

Tim's Computer Repair (TCR) 
1503 Kings Way, Savannah, GA 31406, US
912-220-0765
https://www.TimsComputerFix.net 

Reply

#7
(05-06-2018, 03:03 PM)Timster Wrote:  
(05-06-2018, 02:00 PM)baker7 Wrote:  
(05-06-2018, 11:24 AM)Britec Wrote:  I have made videos on installing windows 10. Check out my Youtube channel 

Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??

Brian B.

*Power off the machine

*Insert Windows 10 usb drive created with media creation tool

*When powering on hit f12 or esc to bring up boot device options

*Boot to the usb drive

From there you can access system repair options and/or Install Windows.

If all of your data is encrypted why are you trying to create an image?


UPDATE: was able to make a DVD with the Media Creation tool Windows 10 PRO - 1809 - Which has the update for the Spring Creators Update. For some reason, I was continually rebooting, so Britec's instructions to search for videos he did was silly considering my situation, and I was unable to boot using USB's but booting with a DVD seems to work: Had to mess with boot order, and I think something was a little strange - All is OK as far as the Install goes right now - lets hope we can keep Thrush solid for now.

System Image: The System image I want to restore is from March 26, which was the day I decided to backup Thrush - This is 2-3 months PRIOR now to May 1, when I got the ransomware. I think I will be OK if I restore this, but I also have another PLAN that I can use: I do have a folder by folder save of the files I want, so if this does not work, I can go back to a 2015 backup done around this time that year.

I have the System Image on my Linux drive that I use for backups, so what I want to do, and am doing now is to connect to Cardinal via Samba, and copy (drag and drop) the "WindowsImageBackup" folder and any subfolders to the ROOT of C:\ - Hopefully, windows will see that image and can restore it - My Linux Backup drive is EXT4, so windows may not see it in the System Image Recovery, so I am hoping that copying it to C:\ will take care of that.

Thanks for the assist Brian and Tim - You are Amazing Big Grin

Will Keep you UPDATED - I'm gonna make a WinPE USB to help me if I run into this again, but I don't know if there are protections against the ransomware I got, but It would be nice to have Smile

Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#8
(05-06-2018, 06:40 PM)baker7 Wrote:  
(05-06-2018, 03:03 PM)Timster Wrote:  
(05-06-2018, 02:00 PM)baker7 Wrote:  
(05-06-2018, 11:24 AM)Britec Wrote:  I have made videos on installing windows 10. Check out my Youtube channel 

Understood Sir - BUT my machine is REBOOTING and is in a LOOP - I also cannot seem to get to the system repair options - so, unless I can ZAP this thing clean, I cant proceed - Thoughts??

Brian B.

*Power off the machine

*Insert Windows 10 usb drive created with media creation tool

*When powering on hit f12 or esc to bring up boot device options

*Boot to the usb drive

From there you can access system repair options and/or Install Windows.

If all of your data is encrypted why are you trying to create an image?


UPDATE:  was able to make a DVD with the Media Creation tool Windows 10 PRO - 1809 - Which has the update for the Spring Creators Update.  For some reason, I was continually rebooting, so Britec's instructions to search for videos he did was silly considering my situation, and I was unable to boot using USB's but booting with a DVD seems to work: Had to mess with boot order, and I think something was a little strange  - All is OK as far as the Install goes right now - lets hope we can keep Thrush solid for now.

System Image:  The System image I want to restore is from March 26, which was the day I decided to backup Thrush - This is 2-3 months PRIOR now to May 1, when I got the ransomware.  I think I will be OK if I restore this, but I also have another PLAN that I can use:  I do have a folder by folder save of the files I want, so if this does not work, I can go back to a 2015 backup done around this time that year.

I have the System Image on my Linux drive that I use for backups, so what I want to do, and am doing now is to connect to Cardinal via Samba, and copy (drag and drop) the "WindowsImageBackup" folder and any subfolders to the ROOT of C:\ - Hopefully, windows will see that image and can restore it - My Linux Backup drive is EXT4, so windows may not see it in the System Image Recovery, so I am hoping that copying it to C:\ will take care of that.

Thanks for the assist Brian and Tim  - You are Amazing Big Grin

Will Keep you UPDATED - I'm gonna make a WinPE USB to help me if I run into this again, but I don't know if there are protections against the ransomware I got, but It would be nice to have Smile

Brian B.

UPDATE: Posted to Family Members and Friends on Facebook as a WARNING
Quote:Good Evening Everyone:

I just Wanted to let EVERYBODY know that they should always be CAREFUL of what they download or click ON: Have spent 6 of the last 8 days restoring my Windows Desktop after a Ransomeware Hit me, and encrypted EVERYTHING - Most of this time, was in Montpelier (VERMONT'S CAPITAL CITY) taking stock of what I needed to have to make the rebuild possible, although my System Recovery FAILED and could not be read - If anyone sent me an EMAIL message, I have not responded to many - and for that matter, I have not been on Facebook for about a week - Lucky for me that I like to keep backups - problem is, I lost some files, and not sure which ones, but I can get them back in time. If you EVER get one of these Damn things, DO NOT PAY the ransom, and do a COMPLETE wipe and reinstall - Paying the ransom only makes these FOOLS make more of these things - Lucky for me I do a Windows Backup regularly Wink (and that I NOW have a FULLY FUNCTIONING Acer Aspire One with Win10 Pro Loaded - Saved me some HELL this week while I was down at home Smile BlueBird (Laptop) was Unaffected, and was reinstalled 3 months ago, so she was OK to use at work while Thrush was down - All Windows Machines on my network have Windows 10 PRO, and if they don't have the Spring Creator's Update (Version 1803) already they soon will have it Smile

Anybody Got a Seltzer Water for a Die Hard Keyboard Jockey hehehe *GRIN*

Brian B.

I wish that there was a way to nuke these things and whip them BEFORE they can do the damage - Is there a Ransomware protection software that I should be running to help me steer clear of this? Didn't even KNOW I had the thing until 17:00 on 1 May - Damn that thing was AWEFUL - Thank GOD I was able to restore that 1TB external - Have a 2TB external that I'm moving the files to, and TIM is a LIFESAVER *5ERS* Thrush NOW has Version 1803, so I am mostly all set - Just have to reinstall Adobe, Office and Dreamweaver and we should be all set Wink

The System Image Recovery was USELESS because apparently you need to be careful when copying to a network drive, cause there can be dropped packets Sad OH well - Next we will get a 4TB or Larger Drive for my office backups Wink



Brian B.
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#9
Loads of different ransomware protection out there for free. But nothing beats common sense. 
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.