Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptoWall RSA-4096 Variant and Restore .jpg Encrypted Files

A new ransomware, observed to be a variant of CryptoWall, has been reported to infect users on a massive scale all over the world. The most notorious ransomware, CryptoWall, detected as “Cryptodefense” by Symantec researchers, has been reported to have held over 600 000 computers and generated over 325$ million revenue in ransom payment. This particular variant uses a Trojan.Agent.MSIL to infect the user’s PC. All users who have become “hostages” of this ransomware should immediately use advanced anti-malware software to remove the threat. Regarding the file restoration, it is advisable to use the suggested methods after this article to try and get your data back instead of paying the ransom money.

NameCryptoWall RSA-4096
TypeRansomware
Short DescriptionEncrypts files on the compromised computer, asking for 500$ ransom money in BTC.
SymptomsThe user may witness “RECOVERY” files to open on startup and his files to become completely hidden from him, except a few.
Distribution MethodVia a MSIL Trojan (downloader) that may be distributed through malicious macros in email attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by CryptoWall RSA-4096
User Experience Join our forum to discuss CryptoWall RSA-4096.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoWall RSA-4096 – Distribution

Similar to CryptoWall 4.0, this particular ransomware uses an MSIL Trojan agent which is essentially a downloader for the actual malware. In this case, the Trojan was located in the following location with the following name:

“C:/Users/{Username}/AppData/Local/Wwp0J.tmp”

This suggests that the Trojan assumes random names for its malicious .tmp module. It may open a port, connect to a remote host which may be the C&C(Command and Control center) of the cyber-criminals controlling CryptoWall and infect the computer.

Such Trojans may be redistributed via malicious payload carrying files, like infected Microsoft Office macros, for example. Image the following scenario – you open up an email from PayPal that contains a Microsoft Excel attachment which is named “Your Withdrawal History” or some other name you are interested in. In it, there is always the “Enable Editing” button and after clicking on it, there may be a malicious script that creates the “Wwp0J.tmp” file on your computer. Of course there are many scenarios besides the previously mentioned one, but they all end up the same way if the “.tmp” file is well obfuscated from your AntiVirus protection.

CryptoWall RSA-4096 In Detail

Once the malicious executable has been activated onto your computer it may download malicious modules of the malware in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %System%
  • %User’s Directory%
  • %Local%
  • %Common%

The malicious modules my contain either random names, names that resemble an application installed on the user PC or names that may contain a mistake made on purpose. Examples are as follows:

  • D0138i2n09dh2.exe
  • Notepad.dll
  • Solitare.tmp

After such files are created, the malware creates registry entries to make them run on system startup, for example:

In the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Value for D0138i2n09dh2.exe with this data:
“addon_v{number}” = “%User’sProfile%\Application Data\D0138i2n09dh2.exe

After being set up, the ransomware may or may not restart the infected PC. Either way, after a system restart, the user sees three files, named “RECOVERY” on his computer:

2222

The “RECOVERY” .txt,.png and .HTML files open automatically on system start up and contain the following ransom message:

ransomware1

At this point, the ransomware has encrypted the user’s files with a .JPG file extension and has made them to be a .MP3 File Format. It has targeted the following file extensions with an RSA-4096 encryption algorhithm:

.exe, .pdf, .docx, .xls, .txt, .doc, .jpg, .bmp, .psd, .vdi, .swf, mp3, .mp4

An encrypted file, by this trojan looks like the following:

ransomware-5

Most of the files disappear from the user. Here is an example with a folder full of files, on which’s place the same RECOVERY files, are placed, with the following file names:

ransomware-4

The “_RECoVERY_+cljba.HTML” file opens the browser of the user and features direct web links to an individually generated page for the user. It appears to be a decryption “service” webpage.

cryptowall-ransomware-3

As visible at this point, the ransomware has demanded around 500$ in BitCoins, and it had link to reputable bitcoin conversion and payment services. It also has a live timer counting down how much time you have until your fee doubles to 1000$. It also displays a message that a special CryptoWall decryptor will be provided.

Not only this, but this is one of the few ransomware variants that provides a decryption of one file for free. Here is a file which we sent and they decrypted:

decrypt 1 file for free

ransomware-decrypted file

Furthermore, one of the features of the ransomware is the ability to contact its “customer support” for any questions, which is a new peak in ransomware development and implementation. We have tried contacting the cyber-crooks and negotiate with them and managed to get a 50$ “discount”.

sensorstechforum-customer service

Not only this, but this ransomware even had spam protection in the form of CAPTCHA:

ransomware-2

There are many ransomware infections out there, and they are only likely to increase. And the worst is that they use obfuscated processes to bypass antivirus software detection. Experts advise following several simple pieces of advice to protect yourself in the future against this or any other infections that may compromise your data. We at SensorsTechForum also would advise you to use a sandboxing software because it significantly increases your protection against infected files that you may accidentally open on your computer. Example for such program is called Sandboxie, which is completely free, but also has a licensed version with a lot of features.

Remove CryptoWall and Restore .jpg Encrypted Files

When it comes to removing CryptoWall from your computer, it may be easier than your think. In fact, after it has infected your computer, the malware may delete itself to prevent reverse engineering and analysis of its encryption modules. However, the Trojan may still reside on your computer, and this is why we recommend scanning it for malware.

Regarding the file decryption, there are several ways to cope with RSA encryption. Since it is RSA-4096 bit encryption algorithm, it would take hundreds of hours for it to be directly fixed using a decryptor. And most decryptors for RSA require the original file to establish the unlocking key and based on that recover the other files you may have encrypted. However, this ransomware is particularly dangerous, because it conceals the files. So you cannot decrypt what you cannot find. This is why we have suggested several other file recovery methods plus a decryptor by Kaspersky in the removal and restoration instructions after this article.

1. Boot Your PC In Safe Mode to isolate and remove CryptoWall RSA-4096
2. Remove CryptoWall RSA-4096 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by CryptoWall RSA-4096 in the future
4. Restore files encrypted by CryptoWall RSA-4096
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • j

    I have been effected by RSA4096 ransomeware this morning. all my images are lockecd out and Cannot open them. but their file extensions are unchanged. I get the following
    I am a designer and all my previous work are locked completely now and having the worst virus infection. Can you please help? Do I have to pay for the spyhunter program to get my data back? unfortunately, i haven’t backed up my data for more than a month now…..

    I get a text message like the following and all my folders are populated with files named RECOVERsaqww.html, RECOVERsaqww.jpegs, and RECOVERsaqww.txt.

    the jpeg files are printed versions of the RECOVERsaqww.txt file and I cannot even google what that is..

    IF I PAY FOR SPYHUNTER AND REGHUNTER, CAN I GET MY FILES, JPEGS,PNGS,PDFs back???

    • Milena Dimitrova

      Hi J,

      Unfortunately, Spyhunter cannot decrypt your files, because it is a program for protection (anti-malware software). However, it can remove the ransomware.

      For now, security experts have not discovered a method to decrypt files encrypted by TeslaCrypt.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.