How to remove CryptoWall Ransomware
What is CryptoWall:
Threat Classification: Ransomware
If you think, your computer could have Cryptowall and it is not active yet – immediately get our malware removal tool – SpyHunter and initiate the scan before the Cryptowall is activated! CryptoWall is the newest version of CryptoDefense ransomware. Similar to Cryptorbit, HowDecrypt, and CryptoLocker. CryptoWall will target computers running Windows operating systems. It was released by the developers of CryptoDefense in the end of April. CryptoWall is almost identical to its predecessor. There are a few minor changes like the name, the files it drops and modified instructions with a new picture. It is speculated that this release was due to CryptoDefense being well known by the Anti-virus companies or because the malicious code was sold to another malware developer. Unfortunately, as of now, there is no chance of decrypting the files encrypted by CryptoWall.
CryptoWall will fully encrypt your data compared with its predecessors. The infection might come from various sources – infected files from various P2P networks, torrents or other file sharing applications, bogus flash player, Silverlight updates or fake video software for viewing online content, email attachments etc. When activated, CryptoWall encrypts certain types of files stored on your local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers. CryptoWall leaves access database files untouched, but does encrypt .doc, .xls, and .bmp, .txt, images and videos.
CryptoWall will create DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.url , DECRYPT_INSTRUCTION.html, and a shortcut to DECRYPT_INSTRUCTION.html in every folder that a file was encrypted. These files contain instructions on how to pay the ransom. Furthermore, CryptoWall will create an HKCU\Software\<unique ID>\ registry key and will store configuration information in it. Moreover, all encrypted files will be listed under HKCU\Software\<unique ID>\PROTECTED key. The malware then displays a ransom message which offers to decrypt the data for $500/500EUR and after a few days the cost will increase to $1000/1000EUR. If the payment is not made by the stated deadline, CryptoWall threatens to delete the private key. In order to pay the ransom, the users are sent to a specific web page where they can enter their personal code and access a payment page. The page can be accessed through Tor client:
or through a normal browser:
The payment should be made through Bitcoins – untraceable payment method.
Once the infection is executed on your computer, it will inject itself deep into the system by modifying the registry in order to start with Windows on every boot. Then it will start encrypting files. This is a newborn virus and is very hard to detect. However, the infection will manifest itself after the encryption process has been completed.
CryptoWall will not only encrypt your files and lock your computer. It will also collect information that might be used to compromise you. The ransomware may steal other relevant information as your personal details, and send it over to the creators. That is the reason why this malware infection should not be left unattended, and it needs to be terminated immediately, as it is a serious threat to your online security.
*Please note that, unfortunately, as of now there is no method of decrypting the files encrypted by CryptoWall. The infection will also delete all your Shadow Volume Copies. The only way to restore your files is by using a backup copy.
There are two ways to remove this infection. It is totally up to you to decide which way you want to go:
1. Automatic Removal Method (recommended for regular or novice users) using a Professional Malware Removal Software like SpyHunter.
2. Manual Removal Method (recommended for PC Experts or Enthusiasts).
Automatic CryptoWall Removal:
We recommend using SpyHunter Malware Security Suite.
You can download and install SpyHunter to detect CryptoWall and remove it, by clicking the button below. Once installed, SpyHunter will automatically scan and detect all threats present on your system, but in order to use it as a removal tool, you need to purchase a subscription.
SpyHunter will automatically scan and detect all threats present on your system.
Learn more about SpyHunter (EULA). You can find Install Instructions here: (LINK) SpyHunter`s free diagnosis offers free scans and detection. You can remove the detected files, processes and registry entries manually, by yourself, or purchase the full version to perform an automatic removal and also to receive free professional help with any malware related queries by their technical support department.
*Bear in mind that the removal of the threat will NOT decrypt your files. As of now, there is no method of decrypting the files encrypted by CryptoWall.
Manual CryptoWall Removal:
!!! Please note: You can remove CryptoWall manually, however, you should proceed at your own risk, as any of the interventions might render your system inoperable. Therefore this manual removal method is highly recommended for PC Experts or Enthusiasts. For regular users, MalwareKillers.com recommends using SpyHunter or any other reputable security application.
1. Remove CryptoWall by restoring your system to a previous state.
1. Reboot your computer into Safe Mode with Command Prompt. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard.
***For Windows 8/10:
If you are using Windows 8, you need to hold the Shift button and tap the F8 key repeatedly, this should boot you into the new advanced “recovery mode”, where you can choose the advanced repair options to show up. On the next screen, you will need to click on the Troubleshoot option, then select Advanced Options and select Windows Startup Settings. Click on the Restart button, and you should now be able to see the Advanced Boot Options screen.
2. Using the arrow keys on your keyboard, select the option “Safe Mode with Command Prompt” and press Enter on your keyboard.
3. When the command prompt loads up, type:
Windows XP: C:\windows\system32\restore\rstrui.exe and press Enter
Windows Vista/7/8/10: C:\windows\system32\rstrui.exe and press Enter
4. System Restore should initialize, and you will be displayed a list of restore points. Try using a restore point created just before the date and time before the Your-computer-has-been-locked virus has infected your computer.
When System Restore has completed its task, start your computer in Windows normal mode, you would need to perform a scan with anti-spyware software as the infection might still be on the system.
*Please note that your files may remain encrypted, depending on whether your system restore has been set to recover system settings only or system settings and previous version of files.
More information about how to recover your files can be found in the following post “How to Recover Files Encrypted by CryptoWall (CryptoDefense)“.
CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ – external link from Bleeping Computer, please read the article HERE.