.wtdi File Virus – Remove .NET CryptoWall and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

.wtdi File Virus – Remove .NET CryptoWall and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will explain what is .wtdi ransomware and help you remove the .NET CryptoWall.exe ransomware plus restore encrypted files on your computer.

A ransomware virus believed to imitate the notorious CryptoWall and is written in .NET has appeared in the wild. The virus uses the .wtdi file extension which it adds to the files encrypted by it, after which changes the wallpaper on the infected computer with a message in red bold letters, reportedly written in Russian. The malicious files of the fake CryptoWall ransomware virus have a rest in peace (RIP) icon. In case your computer has been infected by this ransomware infection, we advise reading the following material.

Threat Summary

Name.wtdi Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts the files on the infected PC’s asking a ransom to be paid to get them back.
Symptoms Encrypts the files on the infected computer and changes the wallpaper with request to contact the crooks via ICQ. Files are appended the .wtdi file extension to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .wtdi Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .wtdi Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoWall .wtdi – How Does It Infect

The primary method of infecting victims with this ransomware virus is via taking advantage of the inexperienced users by sending massive e-mail spam. The messages within the sent e-mails contain deceptive messages that aim to convince the victim to either click on a web link that causes a malicious redirect or open a malicious e-mail attachment. E-mails may have deceptive content, like the following:

The web link in the example above, then leads to a fake web page of DHL which automatically triggers a download of a .zip archive in which the payload of viruses, like the .wtdi CryptoWall may be contained in loaders. These loader type of files, when opened may extract the payload of the virus on the infected computer.

Other methods by which you could become a victim of the CryptoWall .wtdi ransomware virus are by downloading fake setups, clicking on malicious web links posted on suspicious sites, or downloading fake updates or installers of software.

CryptoWall .wtdi File Virus – More Information

During the infection process, the loader file downloaded from the spam e-mails or other distribution methods may drop the main payload file, named CryptoWall.exe as reported in VirusTotal:

Then, the ransomware may set the file to run automatically on Windows start-up. This is achievable by modifying the Windows Registry Editor, more specifically the following sub-keys:

  • Run
  • RunOnce

In those sub-keys, value strings with custom data are added. They may have random names, or the name of the executable, in this case CryptoWall. The malicious string has the location of the CryptoWall.exe file.

After this has completed, the .wtdi file virus may also delete the shadow volume copies on the infected computer. This is achievable by executing the vssadmin command in administrative Windows mode. This command is responsible for deleting those copies and eliminating all of the chances to retrieve the encrypted files via this method. The command is in different parameters, like the image below displays:

Other activity of the CryptoWall.exe .wtdi ransomware infection includes the obtaining of various system information, such as the Windows version, the IP address and other system details. In addition to this, the virus file of the .wtdi ransomware may also establish connection to multiple different third-party websites, that may eventually prove to download more malicious files on the infected computer, besides just transfer file encryption and decryption keys.

How Does CryptoWall .wtdi Encrypt Files

For the encryption process, the CryptoWall ransomware virus uses multiple different techniques by which it encrypts the files on compromised computers. The main files that are targeted for encryption by this CryptoWall imposter variant are:

  • Documents.
  • Music.
  • Videos.
  • Audio files.
  • Archives.
  • Disk image files.
  • Other important and often used file types.

After the virus completes the encryption process, the files are rendered no longer able to be opened. This results in them being added the .wtdi file extension. The files may look like the following:

After the encryption process by this ransomware virus has already finished, this infection then drops it’s ransom note in Russian:


In general, litter. But we’re a little pissed off and encrypted all your documentation. If you want to decipher them, you need to pay. how
It is said that only the mouse in the mousetrap is free of charge =)) Be nice and
Pay. Or you will not see your files =)
Here is the account number: UNIQUEID
And this is the connection with us: ICQ
We’ll say how much will the decoder cost …

Remove CryptoWall Imposter and Restore .wtdi Encrypted Files

For the removal of this ransomware virus, we advise following the instructions below. Since this virus may create multiple files in unknown Windows locations, malware researchers recommend hunting it down automatically by using an advanced anti-malware software. Such will also protect your computer In the future as well.

In case you are interested in restoring your encrypted files, we would suggest you to check this article regularly, since malware researchers may soon develop a decrypter for this virus. In the meantime, focus on alternative tricks to restore the files, like the ones we suggested below. They aim to help you restore at least some of the files encrypted by this ransomware virus.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share