SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: Execute on June 10, 2016, 12:05:12 pm

Title: CryptoWall 3.0 is still raging - how to prevent it?
Post by: Execute on June 10, 2016, 12:05:12 pm
With the CryptoWall 3.0 ransomware (http://sensorstechforum.com/remove-cryptowall-3-0-and-restore-the-encrypted-files/) netting 325 million US dollars to the cyber crooks behind it, there are no signs of it ever stopping.

If you are a tech savy or are knowledgeable about the Windows Operating System and its processes, it will be good to know the following key operations which the ransomware performs before encryption:

It calls WinExec(“vssadmin.exe Delete Shadows /All /Quiet”), which deletes the Shadow Volume Copies (the automatic backup of Windows).

It calls WinExec(“bcdedit /set {default} recoveryenabled No”), which disables the Startup Repair from automatic loading if there is a problem.

It calls WinExec(“bcdedit /set {default} bootstatuspolicy ignoreallfailures”), which disables the Windows Error Recovery service on startup.

CryptoWall 3.0 stops the following services, and modifies them so they don't launch on startup:


And after, it deletes the registry key:

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.Windows Defender – preventing Windows Defender from loading automatically with each system start.

Deletes the registry key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellServiceObjects/{FD6905CE-952F-41F1-9A6F-135D9C6622CC} – this disables the security center notifications.

Finally, CryptoWall 3.0 writes HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRestore.DisableSR = “1” – which disables System Restore.

CryptoWall 3.0 relies on svchost.exe to inject malicious code and perform key functions for the ransomware to operate properly.

If you are aware of that, you might see things in your computer or Task Manager which seem out of place and plain suspicious and act before the encryption has started.

Even if you are not with such skils, the least you should do is put a secondary defense mechanism in your computer.
Specifically preventing ransomware infections, there are these Anti-Ransomware Tools (http://sensorstechforum.com/the-most-popular-free-anti-ransomware-tools/), which look for such stuff.

Be sure to check the ransomware prevention tips (http://sensorstechforum.com/forums/pc-tips-tricks/tips-about-ransomware/) we have on the forum (don't be shy to write an idea of your own in there).

Note! This is an open discussion topic - write comments, suggestions, ideas or encounters with CryptoWall - we will try to help in any way we can!

Best Regards,
Execute