The one scenario where I've found shadow copies useful with CryptoWall is recovering a share that was infected, since the PC can't delete shadow copies on a server.
Of course, it's a sever and should have backups already, but that is besides the point if you're dealing with the infection. Sent from my Verizon Wireless 4G LTE DROID Susan Bradley <[email protected]> wrote: Certain vintages of Cryptolocker actually has a means to get the files back without paying. https://www.decryptcryptolocker.com/ Try that. Cryptowall /not so lucky. Crypto wall and locker both prove a really really hard lesson - have a backup. The shadowcopy trick is something the attackers realized they left behind and later variants started nuking the shadow copies. Susan Bradley http://blogs.msmvps.com/bradley http://www.runasradio.com/default.aspx?showNum=390 On 11/1/2014 9:50 PM, Jon Harris wrote: > I just confirmed all shadow copies were deleted from when the > infection started. Thanks at least I have another trick in case I > have this happen again. > > Jon > > ------------------------------------------------------------------------ > From: [email protected] > To: [email protected] > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sat, 1 Nov 2014 23:31:25 -0500 > > There is a hidden, and I mean well hidden, My Documents folder in the > root and then there is the available Users folder. It sounds like the > same one. I have only been able to see the My Documents folder using > a Linux distro and that is where previously I was able to pull copies > for the user (not my wife). I only found it then because I was doing > a scan using the Linux distro to look for bugs. The user did not have > any copies of some of the software on the system so a rebuild was not > possible. > > Jon > > ------------------------------------------------------------------------ > From: [email protected] > To: [email protected] > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sun, 2 Nov 2014 03:23:00 +0000 > > Out of curiosity, what is the path you’re referring to as a second > profile? > > The only thing I can think of that looks anything like a second copy > is the “Documents and Settings” junction point on Windows Vista+ > > Matthew Topper > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of *Jon Harris > *Sent:* Sunday, November 02, 2014 12:15 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] Security question from a non-security person > > Windows 7 Pro x64, no domain, and I don't think the shadow copies are > on. I looked but did not see a restore from shadow copy available. I > will look again. > > Jon > > ------------------------------------------------------------------------ > > From: [email protected] <mailto:[email protected]> > To: [email protected] <mailto:[email protected]> > Subject: RE: [NTSysADM] Security question from a non-security person > Date: Sun, 2 Nov 2014 03:04:49 +0000 > > The only method anyone has had success with aside from paying the > ransom or restoring from backup is pulling the data from a shadow copy. > > Shadow Explorer seems to work well for browsing them, though newer > instances of the crypto viruses are clearing restore points as part of > infection. > > Matthew Topper > > *From:*[email protected] > <mailto:[email protected]> > [mailto:[email protected]] *On Behalf Of *Jon Harris > *Sent:* Sunday, November 02, 2014 12:01 AM > *To:* [email protected] <mailto:[email protected]> > *Subject:* [NTSysADM] Security question from a non-security person > > I am really hoping someone has an idea of how to go about this. > Before I start let me say I have only gotten started on this but it is > outside my normal area of expertise so I will be looking on the web. > > Issue > > Wife (yes my wife) ignored me about doing backups, not blocking > updates, and being more careful about her browsing habits. She > managed to get bit by a crypto virus which I can get the name of if > necessary. All of her files have been encrypted including a 5.3 GB > PST. Her email is Gmail and I set her up to use POP, more than that > is just too hard for her. She is not dumb by any stretch just very > stubborn, and in some computer areas extremely smart. Security is > just not one of those areas. While I know enough to be able to do > some simple security work I don't pretend to be a Security person. > Anyway I have removed the bugs, all were specific to her profile only > (thank God she is only a user). I have used a Linux distro to archive > the two copies of her profile, you do know there are two copies > right? Well anyway on a previous virus infection I got luck (to bad > not this time) and only one of the copies was damaged. I am still > doing some clean-up but at the moment it appears both copies were > encrypted. Normally I would just tell the user, so sorry/to bad and > blow the machine away and start over. That will not be possible as > this is my wife and for those with a SO and like to keep peace in the > house you would know that is not happening unless there is no other way. > > Question > > Has anyone found a way OTHER than paying these creeps off to get these > files de-encrypted? Like I said I am still in the cleanup and getting > the machine ready for use again and have not yet done any web > searches. Oh and paying them off is not even is the room with the table! > > Side note > > Why is it the IT person is the one blamed when a user ignores what we > tell them and gets bit by a bug? > > Thanks for any ideas or suggestions, > > Jon >
