Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptoWall 3.0 and Restore the Encrypted Files

A new and improved variant of the CryptoWall ransomware has been infecting computers worldwide in the past few days. The new CryptoWall 3.0 uses a localized ransom message and passes traffic to a website where the victims can pay for the decryption key needed to unlock their files through Tor and I2P anonymous networks.

CryptoWall is a file-encrypting type of threat, which once activated on the infected machine encrypts certain files on it and demands a fine of $500 in order to provide the victim with the decryption key. The ransom is to be paid in Bitcoin digital currency in the first 168 hours.

Threat Summary

Name CryptoWall 3.0
Type Ransomware
Short Description The user’s files are encrypted and unusable.
Symptoms A ransom note is displayed to the victim.
Distribution Method Via malicious attachments.
Detection Tool See If Your System Has Been Affected by CryptoWall 3.0

Download

Malware Removal Tool

User Experience Join our forum to discuss CryptoWall 3.0.

The New Features of CryptoWall 3.0

New Tor to Web gateways are used by the new version of CryptoWall: torman2.com, torforall.com, torroadsters.com, and torwoman.com. Either one of them redirects the victim to the same web page containing the payment instructions, but the IDs for tracking the payments are unique.

The payment period is extended from five days to a whole week, after which the fee is raised to $1000.

The crooks have created additional files containing information about the payment and the restoring of the encrypted data:

  • HELP_DECRYPT.HTML: uses your web browser to display information about the threat, encryption and payment methods
  • HELP_DECRYPT.PNG: contains details about CryptoWall 3.0
  • HELP_DECRYPT.TXT: the same as the previous one, but in plain text
  • HELP_DECRYPT.URL: uses your current web browser to display the CryptoWall 3.0 Decrypt Service when Windows is loaded

CryptoWall3_0-removal
The ransom message displayed by CryptoWall 3.0 reads:

What happened to your files?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

Once the file-encryption process is over, the original files are deleted. In case you do not have a backup of your files, you could use reliable software to restore them or part of them from the Windows shadow copies. Below you will find detailed instructions on how to do so.

Connection to I2P Fails

The new version of CryptoWall has been detected by security experts at Microsoft and the French researcher Kafeine, who has reported that the communication with the C&C (Command and Control) server is encoded with the RC4 algorithm and uses the I2P protocol.

As Kafeine tried to test the sample of the new threat, he received an error message every time he attempted to connect to the proxies. The notification, the researcher received, stated that the I2P website was not available due to various reasons – inability to connect to systems or congested network. The hackers seemed to be ready for cases like this one, because they have provided detailed instructions on how to gain access to the decryption service on the Tor network.

Cryptowall 3.0 New Distribution Methods (September 4, 2015)

How is Cryptowall 3.0 dropped onto the system?

Cryptowall ransomware has been around long enough for researchers to gather detailed information about its methods. The ransomware is distributed primarily via emails with .ZIP attachments. The latter contain executable files masqueraded as PDFs. The files in question can be any form of business communication such as:

  • Invoices
  • Purchase orders (POs)
  • Bills
  • Complaints

Once the malicious PDF is launched, CryptoWall will be installed onto the system. The malicious files will be located in one of the two folders %AppData% or %Temp%. Then, the threat will start scanning the system’s drivers to find files to encrypt. All drive letters will be scanned, removal drives, network shares and DropBox mapping included. Any drive letter on the infected system will be checked for data files.

Here is a list of all the locations where CryptoWall 3.0 may be situated:

  • %Temp%
  • C:\[random]\[random].exe
  • %AppData%
  • %ProgramData%
  • %LocalAppData%

Can I Find the Files Encrypted by CryptoWall 3.0?

Files encrypted by CryptoWall 3.0 will be stored together with their paths in the Windows Registry. The subkey location is in the following format:

→HKCU\Software\[unique computer ID]\[random ID]

An actual example looks like that:

→HKCU\Software\03DA0C0D2383CCC2BC8232DD0AAAD117\01133428ABDEEEFF

The process will be repeated for every encrypted file under the mentioned key.

ListCwall can be used as well. It is a tool created by Bleeping Computer to automate the finding and exporting of the encrypted files. The tool can also backup the locked files to another location, in case the user needs to archive them and reformat the PC.

Also, here is a list with file extensions which CryptoWall 3.0 seeks to encrypt:

→ .3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .accde, .accdr, .accdt, .ach, .acr, .act, .adb

User Behavior and Ransomware. Phishing Scams

What we described about the distribution methods so far can mean only one thing – the cyber criminals solely rely on the user’s interaction with malicious spam. The method is known as phishing – a form of social engineering often deployed to spread malware or collect user credentials. This is an exemplary email of how the scam may appear to users:

cryptowall-fake-email

Image Source: Symantec

Cryptowall Precautionary Tips

To bypass malicious infections, avoid downloading archive files such as .zip, .jar, .tar, .7z, .msi, and executable/script files such as .com, .exe, .scr, .bat, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd. Always bear in mind that real companies would avoid sending such types of files, unless you had a previous arrangement set.

Additionally, you can use online website rating services such as Norton Safe Web to determine if a website is safe or unsafe to visit. With file-encrypting threats, the best precautionary advice is a very simple one. Back-up your files. Aways think of this, especially when your data is valuable and you keep a lot of business documents on your PC.

You can also check out the general precautionary tips we have on our forum about ransomware, which come full force for CryptoWall 3.0 as well.

    IMPORTANT

CryptoWall 3.0 can encrypt files on a network share in case it is mapped as a drive letter. If the network share is not mapped as such, CryptoWall 3.0 will not affect the files located there. To secure open shares, users can allow only writable access to the needed user groups or authorized users. The tip is quite important when it comes to threats such as CryptoWall.

Remove CryptoWall 3.0 and Restore the Encrypted Files

Follow the instructions provided below to remove all traces of this ransomware. Keep in mind that the best and most secure way to do that is by using a strong anti-malware program.

Manually delete CryptoWall 3.0 from your computer

Note! Substantial notification about the CryptoWall 3.0 threat: Manual removal of CryptoWall 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoWall 3.0 files and objects
2. Find malicious files created by CryptoWall 3.0 on your PC
3. Fix registry entries created by CryptoWall 3.0 on your PC

Automatically remove CryptoWall 3.0 by downloading an advanced anti-malware program

1. Remove CryptoWall 3.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptoWall 3.0 in the future
3. Restore files encrypted by CryptoWall 3.0
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • Greg

    great information! I was infected with the “CRYPTOWALL 3.0” virus recently, it was downloaded from my need to download Google Chrome and the latest Chromecast. It continued to download malware which was very disturbing. If you have heard about this happening when Google Chrome was installed, would you please pass it on to all of your followers.

    thank you and best regards!

    greg

    • Anticryptowall

      Bonjour tout le monde voici une solution, comment protéger vos fichier et documents de ce virus CryptoWall

      https://www.youtube.com/watch?v=kRpJEpJzK1U

      • Milena Dimitrova

        Hi Anticryptowall,

        Are you sure that your method works?

        • Anticryptowall

          Hi Milena Dimitrova
          i did that experience so many times on image disks by various viruses especially by crypto viruses and The result was always positive…

          • Milena Dimitrova

            Hi again,

            What about CryptoWall 3.0, in particular?

  • francis

    my boss got hit and his memory stick was encrypted. he purchased a new memory stick from sandisk that came with a one year subscription to “RescuePRO”and he was prompted to recover files-he inserted his infected stick and the software restored his files onto his new stick and now his files are in a safe VAULT on the new stick.

  • Ina

    please let me know if there is some solution. I was also caught by this while trying to upgrade Chrome. I am in desperate need of a solution as I don’t have any back ups. Every Microsoft file is infected and decrypted

    • Arthur

      me too. all my files can’t be open.

      • Dirk

        With me also and I also do not restore because this feature is not turned on my computer.
        Please someone?

  • tony

    please helppppppppp all my files were protected by a strong encryption with RSA-2048.

  • Vincent Laurent

    Thanks, I removed the virus with SpyHunter but my files are still corrupted and i cannot open them. Please help me… how to repair them????

  • ITResearcher

    YOU ALL SOOO SCREWED…

  • Steve

    With original file, encrypt file and public key used to encrypt file, can you decipher other files that used that public key?

  • jeg fik hele mit data drev krypteret af cryptowall 3.0 igennem ransomware(conhost) og den havde enda kryptere min gendanelsespunkter og backup den eneste måde jeg fik mine filere igen var ved hjælp af recuva da cryptowall sleter original filen og overskriver dem med en krypteret

  • joao

    I have files that cannot be opened too.
    I am going to pay the ransom today or tomorrow.
    I have heard that if we pay the ransom the unblock all the files for sure (99% sure).
    They don’t want the files. They just want the money.
    I try everything to unblock my files. Even new karpersky software. Nothing works.

    Did some one have the same experience?
    Did someone pay the ransom before?
    What happened?

    I will leave my experience here soon.

    • Milena Dimitrova

      Hi joao,

      First of all, sorry to hear you’ve suffered a CryptoWall 3.0 attack!
      Can you please start a topic in our forum – http://sensorstechforum.com/forums/malware-removal-questions-and-guides/? We will try and help you with whatever we can. The forums are more convenient for such discussions 🙂

      Stay tuned,

      the STF team

      • kate

        Hi joao,
        Did you pay it? What the result?
        I have the same problem but i’m trying to solve it..

    • Richard

      Hola Joao, trabajo como técnico en una empresa y unos de los gerentes, fue ataco por este virus, me gustaría saber si pudiste recuperar la información luego de realizar el pago, y que cantidad de información, pudieron recuperar?

    • sham

      have you paid them >?? and recovered your files or not ?

  • Daniel fornerino

    buenas tardes, mi caso es que el equipo fue infectado con el virus, formatee el equipo pero toda la información abre. tengo informacion de vida o muerte y me urge recuperarla. alguien que me pueda colaborar. por favor

    • badGift

      hmm..
      si può restituire il sistema indietro, ma è possibile solo in caso che abbia fato il backup prima.
      Se no- puoì scaricare quelche programma di ricuperazione come recuva ,getdatabach o diskdrill..però, purtroppo tali software non recuperanno il 100% ,solo i dati eliminati recentemente . ecco uno dei tali programma http://www.cleverfiles.com/disk-drill-windows.html
      forse ti aiuti,

  • Vencislav Krustev

    Hello, Fornerino

    In case you have been infected with Cryptowall, it is important to know that it uses a VERY strong algorhitm, called RSA-2048. Its decryption may take years to complete. We advise you to try restoring your files by going to a professional data recovery expert or attempting to use on of the aftermentioned tools:

    Kaspersky Rector Decryptor

    This decryption tool is very simple to use and
    http://support.kaspersky.com/viruses/utility#rectordecryptor

    EaseUS Data Recovery Wizard Free

    Here is a free program which uses different methods to search through your computer and recover files that are even deleted beyond all saving. It is no guarantee that it will work, but some say they have recovered at least 10 percent of their files and some other files were partially broken. So in case you want to try it out, here is the download link for the tool:

    http://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm

    Shadow Explorer

    You may as well try running Shadow Explorer in case you have File History or backup enabled. You can download it from here, but note that TeslaCrypt may as well have malicious scripts that delete any backups and previous file versions. Here is the download link for Shadow Explorer:

    http://www.shadowexplorer.com/downloads.html

    Look for the latest version and you may as well download the portable one since it saves you time.

    This is as far as I can suggest, try it and reply whether or not you have been successful. Again, there is absolutely no guarantee that any of the methods are working, but we are talking about encrypted files here, after all so it may be worth the try.

  • Sham

    My all files are encrypted with RSA-4096.

    I can not open any file.They are asking for 500 USD for decryption key. Please anybody can help me to decrypt my files as i don’t have any backup restore.

    • Milena Dimitrova

      Hi Sham,

      First, can you please tell me how you got to know that RSA-4096 was used in your case?

      • SERAS

        Slt Milena!
        Comment tu vas? j’aimerais avoir des notions sur le cryptage, comment cela se passe, avoir un cas pratique!
        Merci d’avance! je laisse mon mail ou si je peux avoir le tien cela me sera d’une très grande utilité

  • sham

    hi Milena..
    I found a ransomware file in my every folder…

  • Milena Dimitrova
  • Jorge

    Todos mis archivos está con extensión vvv no sé cómo desencriptar los estoy muy angustiado por favor ayuda ya elimine Cryptowall tengo encriptados toda mi información de 20 años de trabajo por favor ayuda

    • Milena Dimitrova

      Hi Jorge,

      I am deeply sorry to let you know that without a clean copy of your files, you most likely will not be able to restore your information. You can try using TeslaDecoder and Rakhnidecryptor. However, reports indicate that these decoders won’t help with the .vvv extension that belongs to TeslaCrypt ransomware: http://sensorstechforum.com/remove-teslacrypt-and-restore-vvv-encrypted-files/

      Have you removed the ransomware with an anti-malware program?

  • Walter

    E’ successo anche a me. Il problema e’ che ogni file ha un’estensione diversa 0A/0A1/OMF ECC
    Si puo’ fare qualcosa?

  • dbgn

    Hi, I also caught this virus but it was only too late that I realized it and now all my files are encrypted with RSA-2048. The file extensions were changed and it seems that the extension for each file is different from any other and none are the same. Some of the file extensions I see now are .p468t,.16G, .n7r0, .us7m, .25sq, .xo3r4 and so many more. I need help.

    • Hello @dbgn
      This is typical for Ransomware infections such as CTB Locker and CryptoWall 4.0. In order for me to be able to adequately provide you with assistance I would like you to send me a snip or a screenshot of any ransom message that you may see. It may be a .txt file on your desktop or a picture.

      Use this Forum Topic To Attach A Screenshot In Your Reply

      • walter

        hello , I invierei a file , but I do not know ‘ how to attach it to this message

  • hello vencislav
    mz laptop is infected with thee teslacrzpt virus and all mz files are encrzpted with RSA-4096 key
    could zou help me_ please

  • Ter

    Hi, Friends! My Pc was infected, i do eliminate ransomware using spyhunter, but muy files stay encrypted with .MICRO extention. ¿How i can decrypt the files? Thanks!!

  • Shihas

    Hi Milena , one of our system got infected with this cryptowall 3 and encrypted the files with .micro extension. I was able to remove the malware but after two days, one of our Network attached storage got affected as well. Now I am wondering how that is possible ? I thought only personal files got affected by this script. 🙁

    • Milena Dimitrova

      Hello Shihas,

      Ransomware is often used in attacks on companies. The bad news is there’s still no solution for .micro encrypted files. We assure you however that security experts (us included) are doing their best to fight this threat and beat its encryption.

  • Nani

    i was installed a software .after my .jpg,.mp4 files are changed into a .micro extension .pls help to how to get my old file format .

    • Milena Dimitrova

      Hi Nani,

      Unfortunately, you have been attacked by the latest version of TeslaCrypt ransomware. We are still trying to figure out how to decrypt files encrypted by it. Once we find a solution, we will share it.

      Have you removed the ransomware from the infected computer?

  • raluca

    Hello! My laptop is infected with Cryptowall3.0. I’ve cleaned it, but all my files are encrypted. Any news on how to dectrypt them?
    Thank you!

  • Yann Bessin

    Il est à noter qu’Europol a pris conscience du problème des ransomwares et propose dorénavant un portail en ligne pour aider les victimes (https://secuweb.fr/europol-portail-lutter-ransomwares/)

  • Dennis

    I have removed the ransomware but now i have encrypted files ending with .albigec. Does anybody now how to decrypt the files? (Cryptowall 3.0)

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.