Remove PhonyWall Ransomware, the CryptoWall 3.0 Copycat - How to, Technology and PC Security Forum |

Remove PhonyWall Ransomware, the CryptoWall 3.0 Copycat

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

There is a copycat of the CryptoWall 3.0 Ransomware that is infecting computers. It is also known as PhonyWall. It searches for files with many different extensions, overwrites them with its own files and then displays the decryption note of CryptoWall 3.0.

NamePhonyWall Ransomware
TypeRansomware, Trojan
Short DescriptionThe PhonyWall Ransomware overwrites a huge portion of the user’s files and demands a payment. Poses as the CryptoWall 3.0 Ransomware.
SymptomsFiles are overwritten with the same file size, but unusable. A ransom message is displayed. Information about payment and “decryption” are included in a file that is a copy of CryptoWall’s decryption instructions.
Distribution MethodIt can be distributed through browsing unsafe sites, malicious email attachments, drive-by downloads, etc.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by PhonyWall Ransomware
User ExperienceJoin our forum to discuss the PhonyWall Ransomware.


PhonyWall Ransomware – How Did I Get It?

There are a number of ways you could get infected with Trojans such as the PhonyWall Ransomware.

The most common distribution method is known to be through malicious email attachments and spam emails. There are even cases, where an email itself also contains malicious code and upon opening the email, the user infects its computer with it, even if he doesn’t open the attachment inside.

Around social networks and file sharing services there may be similar attachments and files containing the PhonyWall Ransomware, disguised as something else.

Another common way of getting infected with Ransomware is through exploit kits run from legitimate websites. For exploit kits to run, these websites must have been compromised, to have some sort of a security breach. Also, landing suspicious sites with malicious code on them may just as easily get you infected.

PhonyWall Ransomware – In Detail

The PhonyWall Trojan horse is also classified as Ransomware. It is a copycat of CryptoWall 3.0, although not as dangerous. There have been other Ransomware Copycats in the past, pretending to be some other Ransomware. When PhonyWall is executed on a compromised computer it will first create the following two files:

→%UserProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe

→%AllUsersProfile%\Application Data\Microsoft\Windows\[Random Symbols].exe

When those two files are created and hidden, it will inject entries into the Windows Registry:

→HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Type = 0x10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ErrorControl =1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\ImagePath =”%ALL_USERS%\Application Data\Microsoft\Windows\[Random Symbols].exe” -run [Parameter] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\DisplayName= “CheckDisk Service”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Random Symbols]\Description= “Creates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk.”
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_[Random Symbols] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run=”%USERAPPDATA%\Microsoft\Windows\[Random Symbols].exe”-run [Parameter]

The [Parameter] is such, that is passed when the original file is executed.

Afterwards, the Ransomware will overwrite files with ones of the same file size. It will overwrite all files it can find on a compromised computer except files with the following strings, being extensions or prefixes:

→ *.scr *.exe *.msi *.msu *.dll *.ocx *.ax *.com *.sys *.lnk *.inf bootmgr ntldr boot.inintuser.*

The PhonyWall Ransomware does not overwrite files in these directories: Boot, Windows, Program Files settings, System Volume Information. So, System Restore Points and Shadow Volume Copies will still be available and the thing is the program only overwrites files and does NOT encrypt them. It is just trying to scare you into paying the requested sum of money under the false pretense of being CryptoWall 3.0.

The PhonyWall Ransomware will terminate the following processes on the computer:

• *sql*
• *msdtssrvr*
• *fdlauncher*
• *ReportingServicesService*
• *mad*
• *exchange*
• *w3wp*
• *iis*
• *exfba*
• *store*
• *inet*

The Ransomware, then creates a DESCRYPTION_INSTRUCTION.html file. That ransom note instruction file is an exact copy of the CryptoWall 3 one. Although, the user ID for every victim is always “vRRRbw”. The difference here is that CryptoWall uses different, individual keys for each infected computer.

Remove PhonyWall Ransomware Completely

To completely remove the PhonyWall Ransomware Trojan from your computer, you should have at least minimal experience in removing viruses. It is highly recommended to first to back up all of your personal files that you value, no matter if it is encrypted. Afterwards, carefully follow the instructions provided here:

1. Boot Your PC In Safe Mode to isolate and remove PhonyWall Ransomware
2. Remove PhonyWall Ransomware with SpyHunter Anti-Malware Tool
3. Remove PhonyWall Ransomware with Malwarebytes Anti-Malware.
4. Remove PhonyWall Ransomware with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by PhonyWall Ransomware in the future

After its removal, you might try recovering your files, using backups from an external device or cloud if you made such backups in the past, using Windows Restore Points or Shadow Volume Copies.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share