CryptoWall’s encrypter is back in CryptoWall 5.1 variant and it is used in a ransomware virus which pretends to be Cryptolocker. The virus uses the .locked file extension which it ads after encrypting the files of the infected computer with an immensely strong AES-256 encryption algorithm and asks from users to pay 250 Euros to get them back. CryptoWall has been through many changes and many consider it to be the virus causing most damage in comparison to all ransomware viruses. If its encryptor is back this is a strong indicator that the CryptoWall gang may be back in business. Everyone who has been infected by CryptoWall 5.1 should immediately take actions for removing the virus and trying to restore the .locked files using alternative solutions to gain back access to their files like the ones in this article.
|Short Description||CryptoWall 5.1 encrypts files with a strong AES-256 cipher asking 250 Euros for decryption.|
|Symptoms||Files are encrypted with the .locked file extension and become inaccessible. A ransom note with instructions for paying the ransom may shows on the screen.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by CryptoWall 5.1 |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoWall 5.1 Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoWall 5.1 Ransomware – How Does It Infect
The cyber-criminal gang behind CryptoWall 5.1 may use different spam techniques with the one and only purpose of tricking users to into opening its malicious URLs or executables containing its payload.
Another form of attacks by CryptoWall 5.1 may be associated with phishing e-mails, however such attacks are more likely to be present when a user or an organization is targeted by a hacking syndicate. Since most enterprise organizations usually have local networks configured securely by their system and network administrators, hackers may get information about the organization and then send a spam message that appears to be coming from the e-mail from someone important In the organization, like the CTO, CFO or CEO, saying something like “Important! I need you to read thoroughly and reply!”
There is also the chance that the user is being redirected via a malicious URL, which is posted in e-mail bodies, on social media and other communication platforms. Ad-supported PUPs(Potentially Unwanted Programs) may also cause direct browser redirects which may infect the user’s computer and cause immense damage not only by CryptoWall 5.1 but other malware as well.
CryptoWall 5.1 Ransomware In Detail
After CryptoWall 5.1’s payload has been dropped on your computer, the virus might immediately begin changing its settings. First, it may create one or more files in the following Windows folders:
- %User’s Profile%
After creating its malicious files, CryptoWall 5.1 may also modify different registry keys, like the Run and RunOnce keys which enable it to start when Windows boots up:
Before It starts the encryption process, CryptoWall’s 5.1 version may carefully scan for specific file extensions of widely used files, like videos, music, photos, databases and others:
→.3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .accde, .accdr, .accdt, .ach, .acr, .act, .adb
For the encryption process, CryptoWall 5.1 uses a very strong AES cipher has been employed with a strength of 256 bits. In addition to this, CryptoWall 5.1 additionally adds unique identification to the infected user. The encoded files are appended the .locked file extension, for example:
After encryption, the files cannot be opened with any program. The only 100 percent working direct solution appears to be either paying the cyber-criminals for a unique decryption technique like purchasing a key and a decryptor made by them.
To communicate with Infected users, CryptoWall 5.1 may lock the screen of the infected computer and use a custom made ransom message which it displays on the Desktop in different languages. One of those languages is Italian, which means the virus targets Italian users. The message is written in Italian and is the following:
The virus saves a public key on the user’s computer, most likely in a .KEY file and the private key it may send to the malicious server of the cyber-criminals behind CryptoWall 5.1. To gain access, it gives a deadline of 48 hours after which the cyber-criminals threaten to delete the private key.
CryptoWall 5.1 – Conclusion, Removal, and File Restoration
Malware analysts recommend not to pay any ransom to cyber-crooks because you support their cyber-criminal organization and malicious activities. In addition to that, it is no guarantee that these cyber-terrorists will give access to your files. However, you may want to contact the e-mail address cryptowall51@ sigaint.org to ask for the free decryption of one file which you may later use to attempt and factorize other keys which may decrypt the rest of the data. We have provided in step “3. Restore files encrypted by CryptoWall 5.1” alternative methods and decryptors which may assist you in the decryption process of the file encoded by CryptoWall 5.1.
But before attempting any decryption, backups or file restoration methods, we strongly advise you to remove it using an advanced anti-malware program. You can follow the tutorial below, since it is designed for maximum effectiveness and remove the virus automatically and swiftly. This will help detect all of its files, instead of costing you time to find them manually and increasing the risk of you losing your files. Furthermore, it is recommended to have an advanced anti-malware software since it also features a real-time shield protecting you from devastating threats like CryptoWall 5.1 in the future as well.
Researchers also believe that this ransomware has been created based on the HiddenTear open source project which has been the root cause for other ransomware viruses, like Strictor and Sanction ransomwares. Decryptor is expected to be released eventually and we urge you to keep an eye on this article and we will update it as soon as this is done. In the meantime you may try the methods in this article to attempt file restoration.