Remove CloudSword Ransomware and Restore Your Files

Remove CloudSword Ransomware and Restore Your Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you remove the CloudSword ransomware fully. Follow the ransomware removal instructions provided at the end.

CloudSword ransomware is a cryptovirus, which is a variant of HiddenTear. The virus will place an extension to all files after the encryption process is finished. When your files get encrypted, the CloudSword virus shows a ransom message with instructions for payment. Read further to see what ways you could try to potentially recover some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your PC and after that it displays a ransom note with instructions for payment.
SymptomsThe ransomware will encrypt your files and place an extension to every one of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CloudSword


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CloudSword.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CloudSword Ransomware – Delivery

CloudSword ransomware might get delivered via different ways. The dropper for the payload file which initiates the malicious script for the ransomware can be found around the Web by the name Windows Update.exe, albeit its original name is cloudsword.exe. You can view the analysis of that executable file from the screenshot of the VirusTotal service, right here:

CloudSword ransomware might be using other delivery ways, such as spreading the payload file dropper through social media and file-sharing websites. Freeware applications which roam the Internet could be presented as useful but also could hide the malicious files of the virus. Don’t open files immediately after you have downloaded them, especially if they come from unverified sources, such as links and emails. You should always scan the files with a security tool before opening them, and check their sizes and signatures for anything that seems unusual. You should read the ransomware preventing tips thread in the forum.

CloudSword Ransomware – In Details

CloudSword ransomware is a cryptovirus, that is a variant of the open-source ransomware project HiddenTear. According to the malware researcher Jiri Kropac, the virus seems to be under active development. Soon, more versions of it might surface. When the CloudSword ransomware encrypts your files, it will append the same extension to all of them.

CloudSword ransomware adds a value to an entry in the Windows Registry to achieve persistence with auto-execution on each boot of the Windows Operating System. That entry is the following:


with the following value (or a similar one):

→%USERPROFILE%\6b0bea438cedbac32bc81b53c445a344\Windows Update.exe

The ransom note with instructions is found inside the following file:

  • Warning警告.html

The not looks like the following:

That ransom note roughly translated into English, reads:

Because you violated Digital Millennium Copyright Act, all your important files have been locked
You must pay “+Network.amount+” bitcoin to the address below within five days, otherwise your unlock key will be lost forever
To unlocked your files and find instructions, go to
If you are using Tor, go to
If you don’t know how to get bitcoins, go to
*** ***
Or email “”
Do not try decrypt yourself or use other tools
Here lists all encrypted files:
REMINDER: You have only FIVE days to make full payment

The developers of the CloudSword virus are probably still testing it as more versions of the ransomware are being released. You should NOT in any case contact the cyber criminals or pay them as nothing can guarantee you the recovery of your files. Giving money to these crooks will probably just support them financially and inspire them to do more criminal acts.

The CloudSword ransomware seeks to encrypt the following files:

→.accdb, .arch00, .bson, .d3dbsp, .DayZProfile, .dbfv, .divx, .docx, .epub, .forge, .hkdb, .hplg, .html, .ibank, .java, .jpeg, .layout, .mcgame, .mdbackup, .menu, .mpeg, .mpqge, .mrwref, .pptm, .rofl, .sc2save, .sqlite, .syncdb, .text, .unity3d, .vfs0, .wotreplay, .xlsb, .xlsx, .ztmp

The encryption algorithm that is used is believed to be AES and malware researchers say that the ransomware is a variant of the HiddenTear open-source project. Encrypted files will receive one and the same extension appended to them.

The CloudSword cryptovirus has a big possibility to delete the Shadow Volume Copies from the Windows operating system by using the following command in CommandPrompt:

→vssadmin.exe delete shadows /all /Quiet

Read on to find out what methods you could try out to potentially restore some of your data.

Remove CloudSword Ransomware and Restore Your Files

If your computer got infected with the CloudSword ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share