Jump to content

Trying to recover from an infected Cryptowall hard disk

faraflunz

By faraflunz
in Recuva

 Share

Recommended Posts

faraflunz

faraflunz

Posted
Posted

Hello,

 

I have a hard disk infected with Cryptowall, so files are encrypted and have a random 7-digits extension at the end of the name.

Cryptowall encrypts data then deletes the original files, so I'm trying Recuva to recover them.

It seems to work, but when I restore files, Windows says that files are "damaged or corrupted" or something similar. Inside files are garbage,

It seems to me that Recuva restores the file name leaving data encrypted. It happens with all files.

 

I tried Photorec: it  works, so restored files are readeable, but this software can't recover directory structure or file names, so I get something like 100.000 or more recovered files to check inside to find my data :-(

 

Any help, advice, suggestion, doc link or psychological support will very apreciated.

 

Have a nice day!

 

Daniele

Link to comment
Share on other sites
  • Moderators
hazelnut

hazelnut

Posted
  • Moderators
Posted

This is the go-to forum for files encrypted by malware eg. Cryptowall, Tesla Crypt etc.

 

http://www.bleepingcomputer.com/forums/f/45/general-security/

 

You cannot recover encrypted files using Recuva.

 

They need to be decrypted using one of the tools provided at that site.

 

Note not all encrypted files have decrypters available.

 

A post from that forum I linked to which may prove helpful

 

http://www.bleepingcomputer.com/forums/t/602695/cryptowall-trojan-ransonware-virus/?do=findComment&comment=3912460

 

Good luck.

 

Support contact

https://support.ccleaner.com/s/contact-form?language=en_US&form=general

or

support@ccleaner.com

 

Link to comment
Share on other sites
faraflunz

faraflunz

Posted
  • Author
Posted

Thank for you reply Hazelnut :-)

 

I don't want to decrypt encrypted data.

I want to recover original (unencrypted) files deleted by Cryptowall.

This the 2nd method mentioned in this bleepingcomputer FAQ:

 

www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#restore

 

For some reason, Recuva recovers deleted files, but they seems encrypted because their content is garbage.

This is my problem.

 

Daniele

Link to comment
Share on other sites
  • Moderators
hazelnut

hazelnut

Posted
  • Moderators
Posted

That is why you really need to post over at Bleepingcomputer forums as this is a specialist area (recovering encrypted files) and you are having issues doing it. It is not set in stone that those deleted unencrypted backups are recoverable.

 

It is beyond the scope of the forum to give advice on this (I wish I could say otherwise Daniele)

 

Support contact

https://support.ccleaner.com/s/contact-form?language=en_US&form=general

or

support@ccleaner.com

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept