Can CryptoWall 2.0 disable boot?

I'm working on a W7 Home Premium machine that won't boot. It gets past POST and then the screen just kinda flickers. It flashes like it's going to going to load Windows, then goes back to black screen and repeats.

When I connected the hard drive to another computer to recover files, I saw that it was hit by CryptoWall 2.0. The users didn't mention this. There weren't many files on the computer. I couldn't open the photos. I assume she just ignored the warnings to decrypt her files.

To get it to boot, I tried System Restore - there were no restore points. I tried Startup repair. That was no help. I tried replacing the regisry: Default, San, Security, Software, and System files. No joy there either.

When trying to boot to the recovery partition, I just got the blinking underscore at the top left corner of the screen. The recovery files were definately on the recovery partition. I did note that CryptoWall left instruction on how to recover files on that partition also.

I thought CryptoWall only encrypts user files. Is it possible that if the user doesn't pay within a certain time period, that CryptoWall then goes to the registry and recovery partition to disable the computer from booting?

 

I know this doesn't help the immediate problem at hand but Pete posted this awhile ago, for future reference.

http://www.extremetechsupport.com/t/200775/

I'm sure Pete or Gene can answer your question.

 

Hi Tony,

Sorry for the delay.

CryptoWall 2.0 is the newer version.
I haven't seen anything about disabling Boot ...... but there's no telling, if it did it may not be intentional.
After all ..... if you can't Boot the system, you can't pay the ransom.

In October 2014 the malware developers released this latest version, which resolved some problems in the original version.
These changes include developer run Web-to-TOR gateways, unique bitcoin addresses for each victim, and secure deletion of original unencrypted files.

These new changes make it better for the malware developer and harder for a victim to recover their files for free.
CryptoWall will now securely delete your original data files. Originally, CryptoWall would encrypt your data files and then just delete the original. It would then be possible to use data recovery tools to try and recover your data. Now that CryptoWall is securely deleting your data, this method will no longer work and you will need to restore from backups or pay the ransom.

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.

Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

 

Thanks Starbuck, Maybe it's just a coincidence. The user was hit with CryptoWall on Nov 11. He didn't pay any attention to it. Then about 2 weeks later, his computer wouldn't boot. Additionally, I couldn't recover using the recovery partition. I was wondering if CryptoWall had some kind of timebomb whereas if the user didn't pay for the recovery after some period of time, it continued to encrypt system files. That would prevent the computer to boot in addition to messing with the recovery partition files.

 

From what i've read..........
With CryptoWall, the ransom starts at $500. You have 24 hours to pay that ransom. If you don’t pay it, then the ransom goes up to $1000 and you have another 24 hours to pay that. If you don’t pay it, the ransom goes up to $1500 and you have yet another 24 hours to pay it. If you don’t, the decryption key is destroyed and there is no way to decrypt your files.

It's not the system files they go after.... it's the personal files/folders.

2 weeks seems quite a long time.
CryptoWall isn't that difficult to get rid of.... most security programs can deal with it now.
It's the encrypting of the files/folders that's the big problem.... there's no third party program that can decrypt them.

 

Thanks again Pete. Must have been coincidents.

 

Now that's a sale pitch if ever i heard one.