Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove PhonyWall Ransomware, the CryptoWall 3.0 Copycat

There is a copycat of the CryptoWall 3.0 Ransomware that is infecting computers. It is also known as PhonyWall. It searches for files with many different extensions, overwrites them with its own files and then displays the decryption note of CryptoWall 3.0.

Name PhonyWall Ransomware
Type Ransomware, Trojan
Short Description The PhonyWall Ransomware overwrites a huge portion of the user’s files and demands a payment. Poses as the CryptoWall 3.0 Ransomware.
Symptoms Files are overwritten with the same file size, but unusable. A ransom message is displayed. Information about payment and “decryption” are included in a file that is a copy of CryptoWall’s decryption instructions.
Distribution Method It can be distributed through browsing unsafe sites, malicious email attachments, drive-by downloads, etc.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by PhonyWall Ransomware
User Experience Join our forum to discuss the PhonyWall Ransomware.

phonywall-phony-wall-ransomware-ransom-note-cryptowall-copy-decrypt-instruction-html

PhonyWall Ransomware – How Did I Get It?

There are a number of ways you could get infected with Trojans such as the PhonyWall Ransomware.

The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.

Around social networks and file sharing services there may be similar attachments and files containing the PhonyWall Ransomware, disguised as something else.

Another common way of getting infected with Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromised, to have some sort of a security breach. Also, landing suspicious sites with malicious code on them may just as easily get you infected.

PhonyWall Ransomware – In Detail

The PhonyWall Trojan horse is also classified as Ransomware. It is a copycat of CryptoWall 3.0, although not as dangerous. There have been other Ransomware Copycats in the past, pretending to be some other Ransomware. When PhonyWall is executed on a compromised computer it will first create the following two files:

→%UserProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe

→%AllUsersProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe

When those two files are created and hidden, it will inject entries into the Windows Registry:

→HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Type = 0x10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ErrorControl =1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ImagePath =”%ALL_USERS%\Application Data\Microsoft\Windows\[Random Symbols].exe” -run [Parameter] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\DisplayName= “CheckDisk Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Description= “Creates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk.”
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_[Random Symbols] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run=”%USERAPPDATA%\Microsoft\Windows\[Random Symbols].exe”-run [Parameter]

The [Parameter] is such, that is passed when the original file is executed.

Afterwards, the Ransomware will overwrite files with ones of the same file size. It will overwrite all files it can find on a compromised computer except files with the following strings, being extensions or prefixes:

→ *.scr *.exe *.msi *.msu *.dll *.ocx *.ax *.com *.sys *.lnk *.inf bootmgr ntldr boot.inintuser.*

The PhonyWall Ransomware does not overwrite files in these directories: Boot, Windows, Program Files settings, System Volume Information. So, System Restore Points and Shadow Volume Copies will still be available and the thing is the program only overwrites files and does NOT encrypt them. It is just trying to scare you into paying the requested sum of money under the false pretense of being CryptoWall 3.0.

The PhonyWall Ransomware will terminate the following processes on the computer:

• *sql*
• *msdtssrvr*
• *fdlauncher*
• *ReportingServicesService*
• *mad*
• *exchange*
• *w3wp*
• *iis*
• *exfba*
• *store*
• *inet*

The Ransomware, then creates a DESCRYPTION_INSTRUCTION.html file. That ransom note instruction file is an exact copy of the CryptoWall 3 one. Although, the user ID for every victim is always “vRRRbw”. The difference here is that CryptoWall uses different, individual keys for each infected computer.

Remove PhonyWall Ransomware Completely

To completely remove the PhonyWall Ransomware Trojan from your computer, you should have at least minimal experience in removing viruses. It is highly recommended to first to back up all of your personal files that you value, no matter if it is encrypted. Afterwards, carefully follow the instructions provided here:

1. Boot Your PC In Safe Mode to isolate and remove PhonyWall Ransomware
2. Remove PhonyWall Ransomware with SpyHunter Anti-Malware Tool
3. Remove PhonyWall Ransomware with Malwarebytes Anti-Malware.
4. Remove PhonyWall Ransomware with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by PhonyWall Ransomware in the future

After its removal, you might try recovering your files, using backups from an external device or cloud if you made such backups in the past, using Windows Restore Points or Shadow Volume Copies.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.