Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptoWall Software and Restore .Encrypted Files

_HOW_TO_Decrypt-sensorstechforum-cryptowallA ransomware virus associated with the e-mail helprecover@ghostmail.com that leaves files, named _HOW_TO_DECRYPT on the victim’s computer and adds .encrypted file extension after it encodes the files of infected users has appeared, researchers report. The virus-encoder has been reported to be using the name CryptoWall – the biggest ransom virus by impact ever to appear on the wild web. The file encrypted by this virus can no longer be accessed by any software, and affected users are advised by the cyber-criminals not to focus on removing the threat themselves and trying to restore the files. Malware research experts however strongly recommend to remove CryptoWall Software ransomware and look for reserve methods like the ones in this article to restore the encrypted files.

Threat Summary

Name

CryptoWall

Type Ransomware
Short Description Encrypts user’s files with a strong encryption and then adds the “_HOW_TO_DECRYPT.bmp” file ransom note.
Symptoms Encrypted files have no icon, can no longer be opened and have the .encrypted file extension added to them.
Distribution Method Via an Exploit kit or other malicious tools.
Detection Tool See If Your System Has Been Affected by CryptoWall

Download

Malware Removal Tool

User Experience Join our forum to Discuss CryptoWall.

CryptoWall Software – How Does It Spread

The notorious CryptoWall has previously used many different methods to replicate itself on the cloud and hence infect unsuspecting users. Since there is no evidence to support the statement that these are the same people that are behind the original CryptoWall virus, the hacking team behind this “CryptoWall” software threat may have used a set of hacking tools to spam and infect successfully:

One of the methods it may employ is associated with massive spam e-mail campaigns. E-mails spammed by CryptoWall Software virus may appear as if they were legitimate e-mails sent by services or websites, the user is registered for, for example:

  • “Your PayPal transaction is complete.”
  • “You have incoming transfer.”
  • “Confirmation letter for deadline.”
  • “Your project report.”

Such e-mails may either contain malicious e-mail attachments pretending to resemble legitimate documents or may also have malicious URLs that can cause drive-by downloads and another type of attack usually after a browser redirect.

Besides those widespread methods, there are also other means such as distributing malware via referral spam, via Facebook spam bots or hijacked accounts and other means.

CryptoWall Software Ransomware In Depth

As soon as it has infected your computer system, CryptoWall may immediately begin to deploy malicious files under different names in key Windows folders, like the ones below:

commonly used file names and folders

After the files are dropped, the CryptoWall software ransomware may modify the registry editor of Windows with to make the malicious executable which encrypts files run when you start Windows. The keys which are targeted for this are the following:

→(key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run(key)
(key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce(key)
(key)HKEY_LOCAL_MACHINE \Software\Microsoft\ Windows\CurrentVersion\RunServices(key)
(key)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce(key)
(key)HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion \Winlogon\Userinit(key)
(key)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run(key)
(key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunOnce(key)
(key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\RunServices(key)
(key)HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce(key)
(key)HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows(key)

After this malicious deed is done, the CryptoWall Software virus gets down to the encryption part. It may use a strong AES or RSA (or both) encryption algorithms with a CBC (Cipher Block Chaining) mode which breaks the files when you directly try to decrypt them with other programs.

Similar to older versions of CryptoWall, this variant may look and encrypt files with the following file extensions:

→.3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem,.crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .accde, .accdr, .accdt,
.ach, .acr, .act, .adb

After encrypting the files, CryptoWall software then appends the .encrypted file extension. An encoded file becomes broken In a way and looks like the following example:

cryptowall-encrypted-confirmation-bill-sensorstechforum

After encoding the files, CryptoWall software ransomware may drop the following file either in the encrypted folders or another location like:

→C:\Users\{User’s Profile\Desktop\ _HOW_TO_Decrypt.bmp

The image may be set as wallpaper by modifying values in the following key:

→HKEY_CURRENT_USER\Control Panel\Desktop

The image states a very extended ransom message which aims to scare off the user to pay 1 BTC as ransom money:

CryptoWall Software Ransom Note

Judging by the ransom note, the team behind this “variant” of CryptoWall are oriented towards automating their service. What they may have use is automatic key sending bot which reads specific lines of an e-mail. Another theory is that the creators may pretend to have an automated reply system only to pretend that their virus is extremely widespread and to simply avoid negotiations for the files. Whatever the case may be, malware analysts strongly advise users against paying 1.00 BTC to CryptoWall’s creators.

Remove CryptoWall Software and Restore .Encrypted Files

Since CryptoWall Software virus uses an .encrypted extension, this may be an indicator that it might have something in common with other ransomware viruses using the same extension:

In case you are infected with CryptoWall Software ransomware, we strongly advise that you follow the instructions below. They are methodologically designed to help you remove the CryptoWall virus from your computer. If you pay attention to step “3 Restore files encrypted by Cryptowall” below you may also find alternative methods to try and recover your files there. But bear in mind that they may only work for some and not all of your files. Since CryptoWall may use a CBC-Encryption mode, we also advise users to avoid direct file decryptors or if trying them, to make copies of the encrypted files so that you have a backup when you try to decrypt them.

Manually delete CryptoWall from your computer

Note! Substantial notification about the CryptoWall threat: Manual removal of CryptoWall requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoWall files and objects
2. Find malicious files created by CryptoWall on your PC
3. Fix registry entries created by CryptoWall on your PC

Automatically remove CryptoWall by downloading an advanced anti-malware program

1. Remove CryptoWall with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptoWall in the future
3. Restore files encrypted by CryptoWall
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.