There is a copycat of the CryptoWall 3.0 Ransomware that is infecting computers. It is also known as PhonyWall. It searches for files with many different extensions, overwrites them with its own files and then displays the decryption note of CryptoWall 3.0.
|Short Description||The PhonyWall Ransomware overwrites a huge portion of the user’s files and demands a payment. Poses as the CryptoWall 3.0 Ransomware.|
|Symptoms||Files are overwritten with the same file size, but unusable. A ransom message is displayed. Information about payment and “decryption” are included in a file that is a copy of CryptoWall’s decryption instructions.|
|Distribution Method||It can be distributed through browsing unsafe sites, malicious email attachments, drive-by downloads, etc.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by PhonyWall Ransomware|
|User Experience||Join our forum to discuss the PhonyWall Ransomware.|
PhonyWall Ransomware – How Did I Get It?
There are a number of ways you could get infected with Trojans such as the PhonyWall Ransomware.
The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.
Around social networks and file sharing services there may be similar attachments and files containing the PhonyWall Ransomware, disguised as something else.
Another common way of getting infected with Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromised, to have some sort of a security breach. Also, landing suspicious sites with malicious code on them may just as easily get you infected.
PhonyWall Ransomware – In Detail
The PhonyWall Trojan horse is also classified as Ransomware. It is a copycat of CryptoWall 3.0, although not as dangerous. There have been other Ransomware Copycats in the past, pretending to be some other Ransomware. When PhonyWall is executed on a compromised computer it will first create the following two files:
→%UserProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe
→%AllUsersProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe
When those two files are created and hidden, it will inject entries into the Windows Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Type = 0x10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ErrorControl =1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ImagePath =”%ALL_USERS%\Application Data\Microsoft\Windows\[Random Symbols].exe” -run [Parameter] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\DisplayName= “CheckDisk Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Description= “Creates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk.”
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_[Random Symbols] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run=”%USERAPPDATA%\Microsoft\Windows\[Random Symbols].exe”-run [Parameter]
The [Parameter] is such, that is passed when the original file is executed.
Afterwards, the Ransomware will overwrite files with ones of the same file size. It will overwrite all files it can find on a compromised computer except files with the following strings, being extensions or prefixes:
→ *.scr *.exe *.msi *.msu *.dll *.ocx *.ax *.com *.sys *.lnk *.inf bootmgr ntldr boot.inintuser.*
The PhonyWall Ransomware does not overwrite files in these directories: Boot, Windows, Program Files settings, System Volume Information. So, System Restore Points and Shadow Volume Copies will still be available and the thing is the program only overwrites files and does NOT encrypt them. It is just trying to scare you into paying the requested sum of money under the false pretense of being CryptoWall 3.0.
The PhonyWall Ransomware will terminate the following processes on the computer:
The Ransomware, then creates a DESCRYPTION_INSTRUCTION.html file. That ransom note instruction file is an exact copy of the CryptoWall 3 one. Although, the user ID for every victim is always “vRRRbw”. The difference here is that CryptoWall uses different, individual keys for each infected computer.
Remove PhonyWall Ransomware Completely
To completely remove the PhonyWall Ransomware Trojan from your computer, you should have at least minimal experience in removing viruses. It is highly recommended to first to back up all of your personal files that you value, no matter if it is encrypted. Afterwards, carefully follow the instructions provided here:
After its removal, you might try recovering your files, using backups from an external device or cloud if you made such backups in the past, using Windows Restore Points or Shadow Volume Copies.