Remove CryptoWall 3.0 and Restore the Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove CryptoWall 3.0 and Restore the Encrypted Files

A new and improved variant of the CryptoWall ransomware has been infecting computers worldwide in the past few days. The new CryptoWall 3.0 uses a localized ransom message and passes traffic to a website where the victims can pay for the decryption key needed to unlock their files through Tor and I2P anonymous networks.

CryptoWall is a file-encrypting type of threat, which once activated on the infected machine encrypts certain files on it and demands a fine of $500 in order to provide the victim with the decryption key. The ransom is to be paid in Bitcoin digital currency in the first 168 hours.

Threat Summary

NameCryptoWall 3.0
TypeRansomware
Short DescriptionThe user’s files are encrypted and unusable.
SymptomsA ransom note is displayed to the victim.
Distribution MethodVia malicious attachments.
Detection Tool See If Your System Has Been Affected by CryptoWall 3.0

Download

Malware Removal Tool

User ExperienceJoin our forum to discuss CryptoWall 3.0.

The New Features of CryptoWall 3.0

New Tor to Web gateways are used by the new version of CryptoWall: torman2.com, torforall.com, torroadsters.com, and torwoman.com. Either one of them redirects the victim to the same web page containing the payment instructions, but the IDs for tracking the payments are unique.

The payment period is extended from five days to a whole week, after which the fee is raised to $1000.

The crooks have created additional files containing information about the payment and the restoring of the encrypted data:

  • HELP_DECRYPT.HTML: uses your web browser to display information about the threat, encryption and payment methods
  • HELP_DECRYPT.PNG: contains details about CryptoWall 3.0
  • HELP_DECRYPT.TXT: the same as the previous one, but in plain text
  • HELP_DECRYPT.URL: uses your current web browser to display the CryptoWall 3.0 Decrypt Service when Windows is loaded

CryptoWall3_0-removal
The ransom message displayed by CryptoWall 3.0 reads:

What happened to your files?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

Once the file-encryption process is over, the original files are deleted. In case you do not have a backup of your files, you could use reliable software to restore them or part of them from the Windows shadow copies. Below you will find detailed instructions on how to do so.

Connection to I2P Fails

The new version of CryptoWall has been detected by security experts at Microsoft and the French researcher Kafeine, who has reported that the communication with the C&C (Command and Control) server is encoded with the RC4 algorithm and uses the I2P protocol.

As Kafeine tried to test the sample of the new threat, he received an error message every time he attempted to connect to the proxies. The notification, the researcher received, stated that the I2P website was not available due to various reasons – inability to connect to systems or congested network. The hackers seemed to be ready for cases like this one, because they have provided detailed instructions on how to gain access to the decryption service on the Tor network.

Cryptowall 3.0 New Distribution Methods (September 4, 2015)

How is Cryptowall 3.0 dropped onto the system?

Cryptowall ransomware has been around long enough for researchers to gather detailed information about its methods. The ransomware is distributed primarily via emails with .ZIP attachments. The latter contain executable files masqueraded as PDFs. The files in question can be any form of business communication such as:

  • Invoices
  • Purchase orders (POs)
  • Bills
  • Complaints

Once the malicious PDF is launched, CryptoWall will be installed onto the system. The malicious files will be located in one of the two folders %AppData% or %Temp%. Then, the threat will start scanning the system’s drivers to find files to encrypt. All drive letters will be scanned, removal drives, network shares and DropBox mapping included. Any drive letter on the infected system will be checked for data files.

Here is a list of all the locations where CryptoWall 3.0 may be situated:

  • %Temp%
  • C:\[random]\[random].exe
  • %AppData%
  • %ProgramData%
  • %LocalAppData%

Can I Find the Files Encrypted by CryptoWall 3.0?

Files encrypted by CryptoWall 3.0 will be stored together with their paths in the Windows Registry. The subkey location is in the following format:

→HKCU\Software\[unique computer ID]\[random ID]

An actual example looks like that:

→HKCU\Software\03DA0C0D2383CCC2BC8232DD0AAAD117\01133428ABDEEEFF

The process will be repeated for every encrypted file under the mentioned key.

ListCwall can be used as well. It is a tool created by Bleeping Computer to automate the finding and exporting of the encrypted files. The tool can also backup the locked files to another location, in case the user needs to archive them and reformat the PC.

Also, here is a list with file extensions which CryptoWall 3.0 seeks to encrypt:

→ .3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .accde, .accdr, .accdt, .ach, .acr, .act, .adb

User Behavior and Ransomware. Phishing Scams

What we described about the distribution methods so far can mean only one thing – the cyber criminals solely rely on the user’s interaction with malicious spam. The method is known as phishing – a form of social engineering often deployed to spread malware or collect user credentials. This is an exemplary email of how the scam may appear to users:

cryptowall-fake-email

Image Source: Symantec

Cryptowall Precautionary Tips

To bypass malicious infections, avoid downloading archive files such as .zip, .jar, .tar, .7z, .msi, and executable/script files such as .com, .exe, .scr, .bat, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd. Always bear in mind that real companies would avoid sending such types of files, unless you had a previous arrangement set.

Additionally, you can use online website rating services such as Norton Safe Web to determine if a website is safe or unsafe to visit. With file-encrypting threats, the best precautionary advice is a very simple one. Back-up your files. Aways think of this, especially when your data is valuable and you keep a lot of business documents on your PC.

You can also check out the general precautionary tips we have on our forum about ransomware, which come full force for CryptoWall 3.0 as well.

    IMPORTANT

CryptoWall 3.0 can encrypt files on a network share in case it is mapped as a drive letter. If the network share is not mapped as such, CryptoWall 3.0 will not affect the files located there. To secure open shares, users can allow only writable access to the needed user groups or authorized users. The tip is quite important when it comes to threats such as CryptoWall.

Remove CryptoWall 3.0 and Restore the Encrypted Files

Follow the instructions provided below to remove all traces of this ransomware. Keep in mind that the best and most secure way to do that is by using a strong anti-malware program.

Manually delete CryptoWall 3.0 from your computer

Note! Substantial notification about the CryptoWall 3.0 threat: Manual removal of CryptoWall 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoWall 3.0 files and objects
2. Find malicious files created by CryptoWall 3.0 on your PC
3. Fix registry entries created by CryptoWall 3.0 on your PC

Automatically remove CryptoWall 3.0 by downloading an advanced anti-malware program

1. Remove CryptoWall 3.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptoWall 3.0 in the future
3. Restore files encrypted by CryptoWall 3.0
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

48 Comments

  1. Greg

    great information! I was infected with the “CRYPTOWALL 3.0” virus recently, it was downloaded from my need to download Google Chrome and the latest Chromecast. It continued to download malware which was very disturbing. If you have heard about this happening when Google Chrome was installed, would you please pass it on to all of your followers.

    thank you and best regards!

    greg

    Reply
    1. Anticryptowall

      Bonjour tout le monde voici une solution, comment protéger vos fichier et documents de ce virus CryptoWall

      https://www.youtube.com/watch?v=kRpJEpJzK1U

      Reply
      1. Milena Dimitrova

        Hi Anticryptowall,

        Are you sure that your method works?

        Reply
        1. Anticryptowall

          Hi Milena Dimitrova
          i did that experience so many times on image disks by various viruses especially by crypto viruses and The result was always positive…

          Reply
          1. Milena Dimitrova

            Hi again,

            What about CryptoWall 3.0, in particular?

  2. francis

    my boss got hit and his memory stick was encrypted. he purchased a new memory stick from sandisk that came with a one year subscription to “RescuePRO”and he was prompted to recover files-he inserted his infected stick and the software restored his files onto his new stick and now his files are in a safe VAULT on the new stick.

    Reply
  3. Ina

    please let me know if there is some solution. I was also caught by this while trying to upgrade Chrome. I am in desperate need of a solution as I don’t have any back ups. Every Microsoft file is infected and decrypted

    Reply
    1. Arthur

      me too. all my files can’t be open.

      Reply
      1. Dirk

        With me also and I also do not restore because this feature is not turned on my computer.
        Please someone?

        Reply
  4. tony

    please helppppppppp all my files were protected by a strong encryption with RSA-2048.

    Reply
    1. BertaB (Post author)

      Hello, Tony!

      CryptoWall is indeed a nightmare and we are sorry to read that you have been affected by it. RSA algorithm has been deployed by many ransomware threats. You can be sure that many users and security specialists have been trying to break the RSA-2048 encryption. More about the RSA-2048 encryption key that has been targeting computers find here: http://sensorstechforum.com/remove-rsa-2048-encryption-key-from-cryptowall-3-0/

      RSA-2048 can be broken if someone finds a way to create collisions that inherently reduce the expected number of combinations to crack the cipher. Being a cipher, the RSA-2048 algorithm can be cracked by brute force. Brute force cracking can be described as a trial-and-error technique employed by programs to decipher encrypted data like passwords and DES (Data Encryption Standard) keys via extensive effort instead of intellectual force.

      RSA encryption is a type of language that alters the normal code of the file with a unique key. This key can be decrypted via specific software, but it requires a powerful machine. More on the RSA encryption topic and how to remove CryptoWall manually: http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/

      Finally, our research team has compiled several easy steps to follow to protect your files from ransomware threats: http://sensorstechforum.com/cryptowall-aaa-files-ransomware-description-protection-and-removal/

      Additionally, if you want to learn more about the methods employed by CryptoWall and the cyber criminals behind it, you can refer to this article: http://blog.trendmicro.com/trendlabs-security-intelligence/cryptowall-3-0-ransomware-partners-with-fareit-spyware/

      Reply
  5. Vincent Laurent

    Thanks, I removed the virus with SpyHunter but my files are still corrupted and i cannot open them. Please help me… how to repair them????

    Reply
  6. ITResearcher

    YOU ALL SOOO SCREWED…

    Reply
  7. Steve

    With original file, encrypt file and public key used to encrypt file, can you decipher other files that used that public key?

    Reply
  8. kewin nielsen

    jeg fik hele mit data drev krypteret af cryptowall 3.0 igennem ransomware(conhost) og den havde enda kryptere min gendanelsespunkter og backup den eneste måde jeg fik mine filere igen var ved hjælp af recuva da cryptowall sleter original filen og overskriver dem med en krypteret

    Reply
  9. joao

    I have files that cannot be opened too.
    I am going to pay the ransom today or tomorrow.
    I have heard that if we pay the ransom the unblock all the files for sure (99% sure).
    They don’t want the files. They just want the money.
    I try everything to unblock my files. Even new karpersky software. Nothing works.

    Did some one have the same experience?
    Did someone pay the ransom before?
    What happened?

    I will leave my experience here soon.

    Reply
    1. Milena Dimitrova

      Hi joao,

      First of all, sorry to hear you’ve suffered a CryptoWall 3.0 attack!
      Can you please start a topic in our forum – http://sensorstechforum.com/forums/malware-removal-questions-and-guides/? We will try and help you with whatever we can. The forums are more convenient for such discussions 🙂

      Stay tuned,

      the STF team

      Reply
      1. kate

        Hi joao,
        Did you pay it? What the result?
        I have the same problem but i’m trying to solve it..

        Reply
    2. Richard

      Hola Joao, trabajo como técnico en una empresa y unos de los gerentes, fue ataco por este virus, me gustaría saber si pudiste recuperar la información luego de realizar el pago, y que cantidad de información, pudieron recuperar?

      Reply
    3. sham

      have you paid them >?? and recovered your files or not ?

      Reply
  10. Daniel fornerino

    buenas tardes, mi caso es que el equipo fue infectado con el virus, formatee el equipo pero toda la información abre. tengo informacion de vida o muerte y me urge recuperarla. alguien que me pueda colaborar. por favor

    Reply
    1. badGift

      hmm..
      si può restituire il sistema indietro, ma è possibile solo in caso che abbia fato il backup prima.
      Se no- puoì scaricare quelche programma di ricuperazione come recuva ,getdatabach o diskdrill..però, purtroppo tali software non recuperanno il 100% ,solo i dati eliminati recentemente . ecco uno dei tali programma http://www.cleverfiles.com/disk-drill-windows.html
      forse ti aiuti,

      Reply
  11. Vencislav Krustev

    Hello, Fornerino

    In case you have been infected with Cryptowall, it is important to know that it uses a VERY strong algorhitm, called RSA-2048. Its decryption may take years to complete. We advise you to try restoring your files by going to a professional data recovery expert or attempting to use on of the aftermentioned tools:

    Kaspersky Rector Decryptor

    This decryption tool is very simple to use and
    http://support.kaspersky.com/viruses/utility#rectordecryptor

    EaseUS Data Recovery Wizard Free

    Here is a free program which uses different methods to search through your computer and recover files that are even deleted beyond all saving. It is no guarantee that it will work, but some say they have recovered at least 10 percent of their files and some other files were partially broken. So in case you want to try it out, here is the download link for the tool:

    http://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm

    Shadow Explorer

    You may as well try running Shadow Explorer in case you have File History or backup enabled. You can download it from here, but note that TeslaCrypt may as well have malicious scripts that delete any backups and previous file versions. Here is the download link for Shadow Explorer:

    http://www.shadowexplorer.com/downloads.html

    Look for the latest version and you may as well download the portable one since it saves you time.

    This is as far as I can suggest, try it and reply whether or not you have been successful. Again, there is absolutely no guarantee that any of the methods are working, but we are talking about encrypted files here, after all so it may be worth the try.

    Reply
  12. Sham

    My all files are encrypted with RSA-4096.

    I can not open any file.They are asking for 500 USD for decryption key. Please anybody can help me to decrypt my files as i don’t have any backup restore.

    Reply
    1. Milena Dimitrova

      Hi Sham,

      First, can you please tell me how you got to know that RSA-4096 was used in your case?

      Reply
      1. SERAS

        Slt Milena!
        Comment tu vas? j’aimerais avoir des notions sur le cryptage, comment cela se passe, avoir un cas pratique!
        Merci d’avance! je laisse mon mail ou si je peux avoir le tien cela me sera d’une très grande utilité

        Reply
  13. sham

    hi Milena..
    I found a ransomware file in my every folder…

    Reply
    1. Milena Dimitrova

      Hi Sham, looking into your case as we speak!

      Reply
      1. sham

        Dear Milena,

        Waiting for your help….your earlier response will be favorable.
        Thanks

        Reply
        1. Milena Dimitrova

          Hi Sham,

          A topic has been started in our forum about the particular encryption: http://sensorstechforum.com/forums/malware-removal-questions-and-guides/help!-my-files-were-encrypted-with-strong-rsa-4096-encryption!/msg679/#msg679

          Please provide us with the following information there (it’s easier to discuss in the forum than here) – your system, exact file extensions added to the encrypted files, ransom notes, etc. Also, have you removed the Trojan that has dropped the ransomware?

          Reply
  14. Milena Dimitrova

    Hello SERAS,

    I am fine but really sorry to see so many people falling victims to ransomware. You can send us information about your ransomware case on [email protected].

    Reply
  15. Jorge

    Todos mis archivos está con extensión vvv no sé cómo desencriptar los estoy muy angustiado por favor ayuda ya elimine Cryptowall tengo encriptados toda mi información de 20 años de trabajo por favor ayuda

    Reply
    1. Milena Dimitrova

      Hi Jorge,

      I am deeply sorry to let you know that without a clean copy of your files, you most likely will not be able to restore your information. You can try using TeslaDecoder and Rakhnidecryptor. However, reports indicate that these decoders won’t help with the .vvv extension that belongs to TeslaCrypt ransomware: http://sensorstechforum.com/remove-teslacrypt-and-restore-vvv-encrypted-files/

      Have you removed the ransomware with an anti-malware program?

      Reply
  16. Walter

    E’ successo anche a me. Il problema e’ che ogni file ha un’estensione diversa 0A/0A1/OMF ECC
    Si puo’ fare qualcosa?

    Reply
  17. dbgn

    Hi, I also caught this virus but it was only too late that I realized it and now all my files are encrypted with RSA-2048. The file extensions were changed and it seems that the extension for each file is different from any other and none are the same. Some of the file extensions I see now are .p468t,.16G, .n7r0, .us7m, .25sq, .xo3r4 and so many more. I need help.

    Reply
    1. Vencislav Krustev

      Hello @dbgn
      This is typical for Ransomware infections such as CTB Locker and CryptoWall 4.0. In order for me to be able to adequately provide you with assistance I would like you to send me a snip or a screenshot of any ransom message that you may see. It may be a .txt file on your desktop or a picture.

      Use this Forum Topic To Attach A Screenshot In Your Reply

      Reply
      1. walter

        hello , I invierei a file , but I do not know ‘ how to attach it to this message

        Reply
  18. charles

    hello vencislav
    mz laptop is infected with thee teslacrzpt virus and all mz files are encrzpted with RSA-4096 key
    could zou help me_ please

    Reply
  19. Ter

    Hi, Friends! My Pc was infected, i do eliminate ransomware using spyhunter, but muy files stay encrypted with .MICRO extention. ¿How i can decrypt the files? Thanks!!

    Reply
    1. Vencislav Krustev

      Hello Ter,

      You have been infected with a variant of TeslaCrypt. For more information check the following article:

      Remove TeslaCrypt and Restore .micro Encrypted Files

      You may also send files so that we can try and help to decrypt them. Here is the address:

      [email protected]

      We will disclose your files and send them back to you if successfully decrypted. Bear in mind that since we receive a lot of files it may take some time.

      Reply
  20. Shihas

    Hi Milena , one of our system got infected with this cryptowall 3 and encrypted the files with .micro extension. I was able to remove the malware but after two days, one of our Network attached storage got affected as well. Now I am wondering how that is possible ? I thought only personal files got affected by this script. 🙁

    Reply
    1. Milena Dimitrova

      Hello Shihas,

      Ransomware is often used in attacks on companies. The bad news is there’s still no solution for .micro encrypted files. We assure you however that security experts (us included) are doing their best to fight this threat and beat its encryption.

      Reply
  21. Nani

    i was installed a software .after my .jpg,.mp4 files are changed into a .micro extension .pls help to how to get my old file format .

    Reply
    1. Milena Dimitrova

      Hi Nani,

      Unfortunately, you have been attacked by the latest version of TeslaCrypt ransomware. We are still trying to figure out how to decrypt files encrypted by it. Once we find a solution, we will share it.

      Have you removed the ransomware from the infected computer?

      Reply
  22. raluca

    Hello! My laptop is infected with Cryptowall3.0. I’ve cleaned it, but all my files are encrypted. Any news on how to dectrypt them?
    Thank you!

    Reply
  23. Yann Bessin

    Il est à noter qu’Europol a pris conscience du problème des ransomwares et propose dorénavant un portail en ligne pour aider les victimes (https://secuweb.fr/europol-portail-lutter-ransomwares/)

    Reply
    1. SensorsTechForumSensorsTechForum

      Merci beaucoup 🙂

      Reply
  24. Dennis

    I have removed the ransomware but now i have encrypted files ending with .albigec. Does anybody now how to decrypt the files? (Cryptowall 3.0)

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.