This article will help you remove the CloudSword ransomware fully. Follow the ransomware removal instructions provided at the end.
CloudSword ransomware is a cryptovirus, which is a variant of HiddenTear. The virus will place an extension to all files after the encryption process is finished. When your files get encrypted, the CloudSword virus shows a ransom message with instructions for payment. Read further to see what ways you could try to potentially recover some of your files.
|Short Description||The ransomware encrypts files on your PC and after that it displays a ransom note with instructions for payment.|
|Symptoms||The ransomware will encrypt your files and place an extension to every one of them.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by CloudSword |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss CloudSword.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CloudSword Ransomware – Delivery
CloudSword ransomware might get delivered via different ways. The dropper for the payload file which initiates the malicious script for the ransomware can be found around the Web by the name Windows Update.exe, albeit its original name is cloudsword.exe. You can view the analysis of that executable file from the screenshot of the VirusTotal service, right here:
CloudSword ransomware might be using other delivery ways, such as spreading the payload file dropper through social media and file-sharing websites. Freeware applications which roam the Internet could be presented as useful but also could hide the malicious files of the virus. Don’t open files immediately after you have downloaded them, especially if they come from unverified sources, such as links and emails. You should always scan the files with a security tool before opening them, and check their sizes and signatures for anything that seems unusual. You should read the ransomware preventing tips thread in the forum.
CloudSword Ransomware – In Details
CloudSword ransomware is a cryptovirus, that is a variant of the open-source ransomware project HiddenTear. According to the malware researcher Jiri Kropac, the virus seems to be under active development. Soon, more versions of it might surface. When the CloudSword ransomware encrypts your files, it will append the same extension to all of them.
CloudSword ransomware adds a value to an entry in the Windows Registry to achieve persistence with auto-execution on each boot of the Windows Operating System. That entry is the following:
with the following value (or a similar one):
The ransom note with instructions is found inside the following file:
The not looks like the following:
That ransom note roughly translated into English, reads:
Because you violated Digital Millennium Copyright Act, all your important files have been locked
You must pay “+Network.amount+” bitcoin to the address below within five days, otherwise your unlock key will be lost forever
To unlocked your files and find instructions, go to
If you are using Tor, go to
If you don’t know how to get bitcoins, go to
Or email “+Network.email+”
Do not try decrypt yourself or use other tools
Here lists all encrypted files:
REMINDER: You have only FIVE days to make full payment
The developers of the CloudSword virus are probably still testing it as more versions of the ransomware are being released. You should NOT in any case contact the cyber criminals or pay them as nothing can guarantee you the recovery of your files. Giving money to these crooks will probably just support them financially and inspire them to do more criminal acts.
The CloudSword ransomware seeks to encrypt the following files:
→.accdb, .arch00, .bson, .d3dbsp, .DayZProfile, .dbfv, .divx, .docx, .epub, .forge, .hkdb, .hplg, .html, .ibank, .java, .jpeg, .layout, .mcgame, .mdbackup, .menu, .mpeg, .mpqge, .mrwref, .pptm, .rofl, .sc2save, .sqlite, .syncdb, .text, .unity3d, .vfs0, .wotreplay, .xlsb, .xlsx, .ztmp
The encryption algorithm that is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive one and the same extension appended to them.
The CloudSword cryptovirus has a big possibility to delete the Shadow Volume Copies from the Windows operating system by using the following command in CommandPrompt:
→vssadmin.exe delete shadows /all /Quiet
Read on to find out what methods you could try out to potentially restore some of your data.
Remove CloudSword Ransomware and Restore Your Files
If your computer got infected with the CloudSword ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.