I.T. Discussion Community!
-Collapse +Expand
Tech
Search Tech Group:

Advanced
-Collapse +Expand Tech Store
PRESTWOODSTORE

Prestwood eMagazine

May Edition
Subscribe now! It's Free!
Enter your email:

   ► KBComputer TechSoftware   Print This     
 
Tech Software:
The Shadow Lurks, But Relax, it is a Friend Not a Foe
 
Posted 105 days ago on 2/11/2018
Take Away:

This article discusses a software utility called “ShadowExplorer” that could potentially, depending on the situation, recover many of your files that had been encrypted by the vicious ransomware, “Cryptowall”.

KB102833



A few years ago, a customer called me about a problem he and his wife were having with their Windows desktop computer. After I arrived at their home to inspect what had happened, I discovered none of the documents in the user account folder could be successfully opened. Microsoft Word and Excel would not open documents with “.doc” and “.xls” file extensions as they normally would. I also saw there were a few Microsoft Notepad text documents on the desktop stating that files in the PC had been encrypted over and there were some instructions for recovering them. I wasn’t quite sure what to make of this, so I began to research it on the internet.

After a short while, I realized this PC had been struck by the vicious ransom ware known as “Cryptowall”. This diabolical curse was summoned from the bowels of hell, being released around April 2014 from what I have read courtesy of http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#CryptoWall. The demon malware scans your computer for data files and encrypts them with “RSA encryption” so they can no longer be opened by their counterpart application software. The previously mentioned Microsoft Notepad documents were instructions for accessing the “Cryptowall Decryption Service” so the defenseless victim can purchase a decryption program for 500 USD initially, then rising to 1,000 USD after 7 days. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user. It goes without saying that this is especially devastating to those who did not make back ups of their files to external media or a cloud based back up service. Unfortunately, that was the case here.

At this point, I had a sinking feeling that their documents would be lost forever unless the customer paid off the crooks. And if the customer did cough up the ransom money and then their “Cryptowall Decryption Service” turns out to be an illusion, then what? There had to be a better way. For the record, I’m no rookie at recovering lost data. I use data transfer cables to grab files and folders off crashed disks that won’t boot up all the time. I also use a data recovery program for retrieving files and folders from disk drives that can’t even appear as distinct drive letters when plugged into viable, functioning computers. But, this was a whole new challenge for me so I had to go back to the internet to hopefully find a way to get their files back.

So there I was scouring cyberspace for viable remedies for “Cryptowall”. I eventually came across a web page that said the “Volume Shadow Copy Service” of the computer may contain back ups of folders for certain dates. The article also went on to say that sometimes “Cryptowall” can wipe this out when it is infecting a PC. So maybe the “Volume Shadow Copy” was there and maybe it wasn’t…I had to give it a shot for the sake of the customer.

Next, I came across a free utility called “ShadowExplorer” that can recover selected folders from a “Volume Shadow Copy” for a specific date. You can download it from http://www.shadowexplorer.com/downloads.html. This program is really easy to use. After you have it installed, you just double click the program icon and a small dialog screen appears. In the upper left corner, you will see 2 drop downs. One for the drive letter on your disk and another for the date and time of the “Volume Shadow Copy” you will select. After making both these selections (typically C: for the drive letter), the folders for the selected “Volume Shadow Copy” appear in the right hand pane of the dialog screen. Now, highlight the folders you want recovered, right click the mouse and then click the “Export” option. Next, select the destination folder you want to restore selected folders from the right hand pane. Wait for the progress bar to finish and presto...you have your files and folders back!

As mentioned before, this won’t work if “Cryptowall” has nuked all of your “Volume Shadow Copy”. The best remedy by far is to make regular data back ups to external hard drives, flash drives, DVDs or the cloud. Then the ransom ware’s demand for payment will fall on deaf ears as it should.


Comments

0 Comments.
Share a thought or comment...
 
Write a Comment...
...
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.


Anonymous Post (text-only, no HTML):

Enter your name and security key.

Your Name:
Security key = P1271A1
Enter key:
Article Contributed By Douglas.M:

Please visit my software developer website for more information about my services. I offer application development as well as Android app coding services. My developer skills are best suited to dealing with custom software projects. I can perform programming for Corel Paradox as well as C# Sharp and PHP.

In my local area of northeast Ohio, I can cater to computer repair and "fix my computer" issues.

Use my contact web page today to reach me about any software design ideas you have.

Visit Profile

 KB Article #102833 Counter
203
Since 2/11/2018
-
   Contact Us!
 
PrestwoodBoards.com was developed and is maintainted by me. Do you have a question or suggestion? Do you see a problem? Contact me now. My goal is to build an ad-free and spam-free source of I.T. information with many contributers (ok to promote your website/company in your bio). Yes, my company Prestwood IT Solutions is mentioned in my bio which shows with every post, but you can contribute and promote your pet project too!

2,077 People Online Now!!  
Sign In to see who's online now!  Not a member? Join now. It's free!
Show more stats...


©1995-2018 PrestwoodBoards  [Security & Privacy]
Professional IT Services: Coding | Websites | Computer Tech