Carsten

Files encrypted (CryptoWire)

Recommended Posts

A couple of days ago I decided to reset my desktop computer, which is running Windows 10.

After it got reinstalled, I noticed my D and E-drive was emty. So I thought I, by mistake, had selected to clear ALL drives and not just the one with my Windows 10 installation. That WAS a possibility, as I was tired at the time.

Then I got myself a data recovery software, and got everything back - or so it seemed. I uploaded a couple of Excel-files to my onedrive cloud, and wanted to work on them. Unfortunately a message came up, saying the files were corrupted.

Later I found out that the files were not corrupted, byt encrypted.
https://www.sendspace.com/filegroup/KYmj1Igo4o53DqbunWdFBwnBYLMY83HyIQB1epns3NsbHSqO7ufb6Q

The SendSpace link contains one of the excel files, a working photo + the same photo, but where it is encrypted. There are also a couple of files named TempFile.txt, TempFile.md5 and TempFile.exe. Those were in a folder I have not created myself, called SpecialDir. When checking the photo + TempFile.txt on https://id-ransomware.malwarehunterteam.com/, I am being told it is encrypted with CryptoWire.

I unfortunately was in the process of organizing files for my OneDrive, which means I had EVERYTHING on my drive ... all 700GB of important data, including photos throughout the past 20 years.

I appreciate all the help I can get!

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello

If you have already checked the PC using an antivirus Emsisoft Anti-Malware, then you need to attach a screenshot of Quarantine or report of check .

Share this post


Link to post
Share on other sites

The forensics log doesn't show scan results. You need to find the log entry in Emsisoft Anti-Malware for the scan, double-click on it, and scroll to the bottom to find the link to view the scan log.

You can also find scan logs in the following folder:

C:\ProgramData\Emsisoft\Reports

 

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

The forensics log doesn't show scan results. You need to find the log entry in Emsisoft Anti-Malware for the scan, double-click on it, and scroll to the bottom to find the link to view the scan log.

You can also find scan logs in the following folder:

C:\ProgramData\Emsisoft\Reports

 

That log entry does not show anything

scan_190725-060455.txt

Share this post


Link to post
Share on other sites

The log shows the scan didn't find anything. Are you sure that what you're looking for was quarantined/deleted by Emsisoft Anti-Malware?

Share this post


Link to post
Share on other sites
11 hours ago, GT500 said:

The log shows the scan didn't find anything. Are you sure that what you're looking for was quarantined/deleted by Emsisoft Anti-Malware?

No I am not sure about that. Like I mentioned in the beginning, I formatted my harddrive and after that my D and E-drive was deleted.

It wasnt until a few days ago, I found out about Emsisoft.

Share this post


Link to post
Share on other sites

I once again analyzed the situation. 

So the check is meaningless. You restored the files to D and E, but they remained encrypted.
Perhaps, there are still some notes about the purchase in text format in folders with encrypted files...

lock-screen.jpg.8275c9fdb680119777d45db33b2cbac5.jpg
BUT if the ransom note were only inside the ransomware screen, then it could be CryptoWire or one of its modifications.
In this case always need a sample of the malware to investigate it. But is impossible to get it in you case, because Windows has been reinstalled and the data on the C drive is erased.
Download Image

You did not say the reason for which you reinstalled the system. There might have been some kind of braking, freezing or other type of computer slowdowns. The reason could be the process of encrypting files, in which such problems are quite common.

Share this post


Link to post
Share on other sites
12 hours ago, Carsten said:

I formatted my harddrive and after that my D and E-drive was deleted.

Formatting the hard drive wiped out any traces of the ransomware. In some cased this can make decryption of files impossible, and it is highly recommended not to do this until you know for certain it is safe.

Share this post


Link to post
Share on other sites
On 7/26/2019 at 12:57 PM, Amigo-A said:

I once again analyzed the situation. 

So the check is meaningless. You restored the files to D and E, but they remained encrypted.
Perhaps, there are still some notes about the purchase in text format in folders with encrypted files...

lock-screen.jpg.8275c9fdb680119777d45db33b2cbac5.jpg
Download Image
BUT if the ransom note were only inside the ransomware screen, then it could be CryptoWire or one of its modifications.
In this case always need a sample of the malware to investigate it. But is impossible to get it in you case, because Windows has been reinstalled and the data on the C drive is erased.
Download Image

You did not say the reason for which you reinstalled the system. There might have been some kind of braking, freezing or other type of computer slowdowns. The reason could be the process of encrypting files, in which such problems are quite common.

The are no deeper reason as to why I reinstalled. It is something I do from time to time. I'm weird that way :)

My laptop was reinstalled last week.

The Download Image-link, what does that one do?

The last couple of days I have worked on getting my mindset ready to "accept" the fact 95% is gone for good.



 

Share this post


Link to post
Share on other sites
5 minutes ago, Carsten said:

The Download Image-link, what does that one do?

Probably so conceived by the developers of the forum engine. So that user can download the file and view it on their PC.

Share this post


Link to post
Share on other sites

I understood your strategy about reinstalling the system.

But in my opinion, still it is better to learn how to build protection from scratch or using antivirus software.

This is also a good experience, which allows you to avoid many errors in the system and protection.

Later this experience will allow to correct any unpleasant case with almost one click.

Share this post


Link to post
Share on other sites
3 hours ago, Amigo-A said:

I understood your strategy about reinstalling the system.

But in my opinion, still it is better to learn how to build protection from scratch or using antivirus software.

This is also a good experience, which allows you to avoid many errors in the system and protection.

Later this experience will allow to correct any unpleasant case with almost one click.

At the time of my reinstallation, I didnt know that I had an issue with encrypted files. It wasnt until afterwards when I checked my OneDrive, I noticed those files also didnt work - for instance the excel-files, I wanted to work on. I then selected the restore option, and noticed the word  ransomware detected .

image.png
Download Image

Share this post


Link to post
Share on other sites
10 hours ago, Carsten said:

The are no deeper reason as to why I reinstalled. It is something I do from time to time. I'm weird that way :)

I recommend imaging over reinstalling, that way you have a backup of all data and the system that you can restore to whenever there's a problem. You should also store system images (or any backups) on removable media and keep it disconnected when not in use.

Share this post


Link to post
Share on other sites
On 7/28/2019 at 5:59 AM, GT500 said:

I recommend imaging over reinstalling, that way you have a backup of all data and the system that you can restore to whenever there's a problem. You should also store system images (or any backups) on removable media and keep it disconnected when not in use.

It is always easy to say what I should have done. Right now that does not help in any way.

Share this post


Link to post
Share on other sites
8 hours ago, Carsten said:

It is always easy to say what I should have done. Right now that does not help in any way.

Obviously what's done is done. It was intended as a suggestion for the future. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.