Cryptowall infection

Be3G · ‎05-04-2007

Hi all,
Long time no speak. Unfortunately, I'm here in unpleasant circumstances.

So, today I thought it was about time I configured a better backup regime (oh the irony…) on my mother's Windows 7 laptop. We'd been relying on MS SyncToy (the only way to achieve a network backup in Home Premium), but intending to set up something more robust, I downloaded a couple of trials of Genie's backup software (Timeline Home and Backup Manager Home). Tried the first one, wasn't much good. Tried the second one and after three attempts at installation finally got it running.
An hour or two later, I look at the laptop and find it's been taken over by Cryptowall! It had to happen during the few hours of the laptop's life that there wasn't a backup, didn't it. So the data on it is now stuffed; fortunately there wasn't much as my mother's main computer is actually an iPad.
What's really bugging me though is how the infection even took hold. Looking at the IE browsing history for today the only domains I visited were bing.com, genie9.com and google.co.uk, so no dodgy websites. The account I was using on the laptop has no e-mail client set up so nothing could have got in that way. All I can think of is an ad exploit (I don't think Flash is up to date on the laptop) but surely none of those three websites should have been running dodgy ads? I really don't get it.
Two observations of things I did think were slightly odd whilst using the laptop today though:

When rebooting it earlier it said it had to install some Windows updates during startup, and remained at ‘100% complete’ for a good half-hour or so. When looking at the Windows update history afterwards however, apparently none had been installed.
When running Genie Backup Manager for the first time, it told me with a slightly Chinglish alert that I had to download an extra installer to use a feature in the app (disaster recovery, for what it's worth). Although the download did seem to come from Genie's website, so…

Any ideas?

Oldjim · ‎15-06-2007

are the SyncToy backups also knackered and, if so, has it infected other network computers

Be3G · ‎05-04-2007

Nope, the SyncToy backups were the ones I deleted at the beginning of the process – last backup would've been a fortnight or so ago when the laptop was last used. The other computers are Macs, fortunately.
Having said that, today's infection may have spread to the NAS (Time Capsule) so I will be erasing its disk as a precaution.

Oldjim · ‎15-06-2007

Is the deleted backup recoverable using the recycle bin or don't Mac's have such a feature

shutter · ‎06-11-2007

Not sure if this would help... but as it is a Windows 7 machine... you may be able to recover files using
RECUVA . https://www.piriform.com/recuva

Be3G · ‎05-04-2007

The backup was deleted using Windows; so, as it was a network drive, the files were sent straight in to the ether.
Thanks too shutter. Unfortunately I don't think programs like that work on network drives (without removing the HDD anyway).
To be clear though, I'm not really interested in recovering the data; there wasn't much on the laptop, so whilst it might be possible to get the data back, it's not worth the expense/effort. What I'm really concerned about though – as someone who is very careful when using computers and has never had any virus/malware attacks before! – is deciphering how it even happened in the first place.

nanotm · ‎11-02-2013

probably an advert, could of been something laying dormant waiting for you could have been the download you made, the install trouble was likely a cover for cryptowall doing what it needed to do/

just because your paranoid doesn't mean they aren't out to get you

ReedRichards · ‎14-07-2009

Quote from: Be3G
When running Genie Backup Manager for the first time, it told me with a slightly Chinglish alert that I had to download an extra installer to use a feature in the app (disaster recovery, for what it's worth). Although the download did seem to come from Genie's website, so…

I think it is very likely that that was the source of your Cryptowall infection. Either the Genie website had been hacked or your computer has been hacked to change the DNS setting so you were not visiting the site you thought.

Be3G · ‎05-04-2007

I've been wondering about that too; the more I think about it being ad-based the less likely it seems to me because there's surely no way Google or Bing would let anything that heinous anywhere near their websites, and the Genie site only advertises their own products as one would expect. However, I can't see anything wrong with the DNS as reported by ipconfig, and I also can't imagine Genie's website being hacked and me being the only person to notice. I feel sorely tempted to set up a VM to see if I still get the Chinglish alert when downloading the program but… can I be bothered? Hmm.
Does anyone have any idea how long it takes Cryptowall to reveal itself from the time of initial infection? (I.e. does it appear only once everything's been encrypted, or does it show itself as soon as it starts to mangle one's data.) I'm starting to wonder if it actually landed on my mother's laptop prior to me using it today.
Losing the data I can live with… but I hate not knowing how it happened!

rongtw · ‎01-12-2010

my be helpful

http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

Asus ROG Hero Vii Z97 , Intel i5 4690k ,ROG Asus Strix 1070,
samsung 850evo 250gig , WD black 2 TB . Asus Phoebus sound ,
16 gig Avexir ram 2400 , water cooling Corsair H100i gtx ,
Corsair 750HXI Psu , Phanteks Enthoo pro case .

ReedRichards · ‎14-07-2009

I don't think Cryptowall reveals itself until it has finished encrypting but with only a few files that isn't going to take too long. The only time I have seen it in life was when somebody let their curiosity about an email attachment get the better of them despite the fact that the email was clearly 'misdirected'. The computer had security software but the virus 'outran' it. I think it very likely that you were to blame, Be3G, because you were downloading and running stuff and I doubt that your mother does that.
Google can have all sorts of heinous stuff if you click on the sponsored links at the top of the search listing. Bing is probably the same but I rarely use that one. You are frequently directed to sites that bundle adware with whatever piece of software you are looking for but it could be worse than that.

MatrixRob · ‎16-11-2015

Note: No affiliation with the company whatsoever.
Have you also tried using the bitdefender FREE solution to the problem.
http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/?

No problem can be solved from the same level of consciousness that created it.
Albert Einstein

Oldjim · ‎15-06-2007

That doesn't help once your files have been encrypted

MatrixRob · ‎16-11-2015

Just re-read the thread and...Ooops! yup you're right it won't fix it (more coffee please!)

No problem can be solved from the same level of consciousness that created it.
Albert Einstein

Be3G · ‎05-04-2007

Thanks all for your further thoughts on the matter. One thing to note is that the laptop did actually have about 50GB of user files loaded; they were mostly in the form of files downloaded from iTunes though which is why I say there wasn't much unrecoverable data.
Anyway, I carried out an experiment and restored the laptop using its built-in factory restore facility (which I'd never normally use as no-one's a fan of bloatware) just for the purposes of downloading Genie Backup Manager Pro again to see what'd happen. After installation I did still get a dialog box asking me to download an extra component, which upon closer inspection wasn't really Chinglish, it was just English with poor grammar. After leaving the laptop for a while no infection became apparent so it doesn't appear that was it.
I also checked my mother's browsing history and she had only visited one website in the past few weeks (a very secure work website for which she has the direct URL).
So, considering what ReedRichards said earlier, I think I'm settling on a dodgy Google ad link to Genie being the most likely culprit for the infection. When going to the Genie website for the first time it is quite possible that I Googled it and clicked on a sponsored link; whilst I believe it ultimately directed me to the correct website, perhaps it used a JS exploit on the way there which was my downfall.

Cryptowall infection

Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection

Re: Cryptowall infection