Remove CryptoWall 5.1 Ransomware and Restore .locked Encrypted Files - How to, Technology and PC Security Forum |

Remove CryptoWall 5.1 Ransomware and Restore .locked Encrypted Files

CryptoWall-51-sensorstechforum-ransom-note-main-ransomwareCryptoWall’s encrypter is back in CryptoWall 5.1 variant and it is used in a ransomware virus which pretends to be Cryptolocker. The virus uses the .locked file extension which it ads after encrypting the files of the infected computer with an immensely strong AES-256 encryption algorithm and asks from users to pay 250 Euros to get them back. CryptoWall has been through many changes and many consider it to be the virus causing most damage in comparison to all ransomware viruses. If its encryptor is back this is a strong indicator that the CryptoWall gang may be back in business. Everyone who has been infected by CryptoWall 5.1 should immediately take actions for removing the virus and trying to restore the .locked files using alternative solutions to gain back access to their files like the ones in this article.

Threat Summary

NameCryptoWall 5.1
TypeRansomware Trojan
Short DescriptionCryptoWall 5.1 encrypts files with a strong AES-256 cipher asking 250 Euros for decryption.
SymptomsFiles are encrypted with the .locked file extension and become inaccessible. A ransom note with instructions for paying the ransom may shows on the screen.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by CryptoWall 5.1


Malware Removal Tool

User ExperienceJoin our forum to Discuss CryptoWall 5.1 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoWall 5.1 Ransomware – How Does It Infect

The cyber-criminal gang behind CryptoWall 5.1 may use different spam techniques with the one and only purpose of tricking users to into opening its malicious URLs or executables containing its payload.

Just like CryptoWall 4.0 Ransomware and CryptoWall 3.0, it may employ several methods that may result in successful cyber-attack on the unsuspecting user:

The most widely employed method is via spam e-mail. And this is not just small spam campaigns. CryptoWall has always been associated with massive spam, like the famous Fake Windows 10 Free Upgrade Spam, which appeared last year. It looks like a message appearing to be sent from Microsoft Corporation. Users have reported tat such e-mails may be associated with fraudulent URLs or malicious files containing JavaScript or Exploit Kits embedded in .ZIP e-mail attachments.

Another form of attacks by CryptoWall 5.1 may be associated with phishing e-mails, however such attacks are more likely to be present when a user or an organization is targeted by a hacking syndicate. Since most enterprise organizations usually have local networks configured securely by their system and network administrators, hackers may get information about the organization and then send a spam message that appears to be coming from the e-mail from someone important In the organization, like the CTO, CFO or CEO, saying something like “Important! I need you to read thoroughly and reply!”

There is also the chance that the user is being redirected via a malicious URL, which is posted in e-mail bodies, on social media and other communication platforms. Ad-supported PUPs(Potentially Unwanted Programs) may also cause direct browser redirects which may infect the user’s computer and cause immense damage not only by CryptoWall 5.1 but other malware as well.

CryptoWall 5.1 Ransomware In Detail

After CryptoWall 5.1’s payload has been dropped on your computer, the virus might immediately begin changing its settings. First, it may create one or more files in the following Windows folders:

  • %Roaming%
  • %AppData%
  • %Temp%
  • %User’s Profile%
  • %Windows%
  • %Local%
  • %LocalRow%

After creating its malicious files, CryptoWall 5.1 may also modify different registry keys, like the Run and RunOnce keys which enable it to start when Windows boots up:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Before It starts the encryption process, CryptoWall’s 5.1 version may carefully scan for specific file extensions of widely used files, like videos, music, photos, databases and others:

→.3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .accde, .accdr, .accdt, .ach, .acr, .act, .adb

For the encryption process, CryptoWall 5.1 uses a very strong AES cipher has been employed with a strength of 256 bits. In addition to this, CryptoWall 5.1 additionally adds unique identification to the infected user. The encoded files are appended the .locked file extension, for example:


After encryption, the files cannot be opened with any program. The only 100 percent working direct solution appears to be either paying the cyber-criminals for a unique decryption technique like purchasing a key and a decryptor made by them.

To communicate with Infected users, CryptoWall 5.1 may lock the screen of the infected computer and use a custom made ransom message which it displays on the Desktop in different languages. One of those languages is Italian, which means the virus targets Italian users. The message is written in Italian and is the following:

“Il tuo computer è stato infettato da Cryptolocker
Cryptolocker è un malware appartenente alla famiglia dei ransomware.
Questo virus è in grado di criptare con algoritmi asimmetrici i file della vittima.
Come faccio a ripristinare i miei documenti?
I tuoi documenti, foto, dati e altri file importanti (compresi usb, hard disk, percorsi di rete etc. ) sono stati criptati con un algoritmo asimmetrico a due chiavi, pubblica e privata.
Tutti i file sopra citati che hanno l’estensione .locked sono stati bloccati, per sbloccarli hai bisogno della chiave privata.
Come ottengo la chiave privata?
Mentre la chiave pubblica и stata salvata in una directory di sistema del tuo computer, quella privata и stata inviata sul nostro server, per ottenerla devi pagare la cifra di 250 €.
Appena l’importo sarà accreditato tramite uno dei metodi di pagamento riceverai tramite mail la chiave privata e potrai cosм riavere accesso ai tuoi dati
In caso contrario al termine delle 48h previste per il pagamento del riscatto la chiave privata verrà eliminata e non sarà più possibile recuperare i file.
ATTENZIONE: La rimozione di Cryptolocker non ripristina l’accesso ai file cittografati.
Contaсt:” Source: Infected User
English Translation:
Your computer is infected with cryptolocker
Cryptolocker is a malware belonging to the family of Ransomware.
This virus can encrypt the victim’s files with asymmetric algorithms
How do I restore my files?
Your documents, photos, data and other important files (including USB, hard drives, network locations, etc.) have been encrypted with an asymmetric algorithm to two keys, public and private.
All files mentioned above having the .locked extension have been blocked; you need to unlock the private key.
How do I get the private key?
While the public key и been saved in a directory of your computer system, the private и been sent to our server, to get it you have to pay the amount of 250 €.
As soon as the amount is credited with one of the payment methods, you will receive by mail the private key, and regain access to your data.
Otherwise, at the end of 48h provided for the payment of the ransom, the private key will be deleted and it will no longer be possible to recover files.
CAUTION: Removing cryptolocker will not restore access to encrypted files.

The virus saves a public key on the user’s computer, most likely in a .KEY file and the private key it may send to the malicious server of the cyber-criminals behind CryptoWall 5.1. To gain access, it gives a deadline of 48 hours after which the cyber-criminals threaten to delete the private key.

CryptoWall 5.1 – Conclusion, Removal, and File Restoration

Malware analysts recommend not to pay any ransom to cyber-crooks because you support their cyber-criminal organization and malicious activities. In addition to that, it is no guarantee that these cyber-terrorists will give access to your files. However, you may want to contact the e-mail address cryptowall51@ to ask for the free decryption of one file which you may later use to attempt and factorize other keys which may decrypt the rest of the data. We have provided in step “3. Restore files encrypted by CryptoWall 5.1” alternative methods and decryptors which may assist you in the decryption process of the file encoded by CryptoWall 5.1.

But before attempting any decryption, backups or file restoration methods, we strongly advise you to remove it using an advanced anti-malware program. You can follow the tutorial below, since it is designed for maximum effectiveness and remove the virus automatically and swiftly. This will help detect all of its files, instead of costing you time to find them manually and increasing the risk of you losing your files. Furthermore, it is recommended to have an advanced anti-malware software since it also features a real-time shield protecting you from devastating threats like CryptoWall 5.1 in the future as well.

Researchers also believe that this ransomware has been created based on the HiddenTear open source project which has been the root cause for other ransomware viruses, like Strictor and Sanction ransomwares. Decryptor is expected to be released eventually and we urge you to keep an eye on this article and we will update it as soon as this is done. In the meantime you may try the methods in this article to attempt file restoration.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share