How to Recover Files Encrypted by CryptoWall (CryptoDefense)

How to Recover Files Encrypted by CryptoWall (CryptoDefense)

1 Star2 Stars3 Stars4 Stars5 Stars (25 votes, average: 5.00 out of 5)
How to Recover Files Encrypted by CryptoWall

How to Recover Files Encrypted by CryptoWall

What is CryptoWall/CryptoDefense:

Threat Classification: Ransomware

CryptoWall is the newest version of CryptoDefense ransomware. Similar to Cryptorbit, HowDecrypt and CryptoLocker. CryptoWall will target computers running Windows operating systems. It was released by the developers of CryptoDefense in the end of April. CryptoWall is almost identical to its predecessor and will fully encrypt your data. Unfortunately, as of now, there is no chance of decrypting the files encrypted by CryptoWall.

When activated, CryptoWall encrypts certain types of files stored on your local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers. CryptoWall leaves access database files untouched, but does encrypt .doc, .xls, and .bmp, .txt, images and videos.

CryptoWall will create DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.url , DECRYPT_INSTRUCTION.html, and a shortcut to DECRYPT_INSTRUCTION.html in every folder that a file was encrypted. These files contain instructions on how to pay the ransom.  Furthermore, CryptoWall will create a HKCU\Software\<unique ID>\ registry key and will store configuration information in it. Moreover, all encrypted files will be listed under HKCU\Software\<unique ID>\PROTECTED key. The malware then displays a ransom message which offers to decrypt the data for $500/500EUR and after a few days, the cost will increase to $1000/1000EUR. If the payment is not made by the stated deadline, CryptoWall threatens to delete the private key.

If you notice that you are infected, we at recommend you to download SpyHunter Malware Security Suite from our web page: order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of CryptoWall (learn how to in our article HERE), you can try to recover your files using the limited methods below:

How to Recover Files Encrypted by CryptoWall:

*Please note that, as of now, there is no method of decrypting the files encrypted by CryptoWall. The infection may also delete all your Shadow Volume Copies. The only certain way to restore your files is by using a backup copy.

You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files. This method may not work, as CryptoWall attempts to clear your shadow copies when it is installed.

1. How to restore files using the Shadow Copy Service:

Method 1. Using native Windows Previous Versions:

*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.

1. Right click on the corrupted file and select properties from the drop-down menu;

2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);

3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.

This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.

Method 2. Using Shadow Explorer:

You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link:

When you download and run the program, you will see, on the left side, a list of your available drives. Next to it, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.

 To successfully remove and learn more about the newest ransomware CryptoWall, please read our article HERE.

To successfully remove and learn more about the ransomware CryptoDefense, please read our article HERE.

To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.

To learn how to recover your files encrypted by older ransomware like CryptoDefense, please read our article HERE.

To learn how to recover your files encrypted by older ransomware like Cryptorbit or HowDecrypt, please read our article HERE.

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ – external link from Bleeping Computer, please read the article HERE.

There are 72 comments left Go To Comment

  1. Dolmac /

    Here is how to recover your files if you don’t have shadow copies :

    The ransomware function this way :

    When a user launch it (usually by email) it will encrypt all their files and add in each directory a document explaining that they will have to pay in Bitcoin 500$ to recover their files.

    FYI, if you pay, you will actually recover your files, but is there another solution than paying 500 or 1000$ to some kind of mafia ? Yes.


    Power-Off the machine : the faster the better
    CryptoWall operate this way :

    First it will do a copy of your original file, and encrypt it with what they claim to be a RSA2048 key. Then it will delete the original files. It goes on until it encrypted all files on all disks and network shares the user can access.

    In a second time it will try to delete any windows shadowcopies of your files to prevent you to recover a previous “unencrypted” version of your files.

    The reason you should power off the machine quickly is that it might prevent the suppression of shadowcopies. Then all you have to do is power on the machine, press F8, launch it in Safe mode, and use antimalware programs such as Malwarebytes to clean the virus. then use the “precedent version” tab on properties of your user folders to recover unencrypted files.


    What if you have no shadow copies and no backup of your files ? There is still a way.
    As I said, Cryptowall doesn’t encrypt your original files. It will do a copy of it, encrypt it, and delete the original file.

    As you probably know, a deleted file can be recover if nothing as been written over it on your disk. Good think you quickly power off the machine soon after the infection !

    Now all you have to do is take your hard drive out, put it in another machine as external drive, or second drive if you don’t have a sata dock, an run a file recovery program.

    I use Ontrack EasyRecovery or R-Studio, or even DataRescue for Mac.
    The pro version of Ontrack EasyRecovery might also be able to recover files from a RAID array if one of your network share as been encrypted and you don’t have backups.

    All these programs will be able to recover the original files deleted by Cryptowall.

    Just make sure when you run those to NOT do it directly on the original machine as by writing on your infected disk, the program could Overwrite your deleted files.

    You should be able to recover 99% of your files using this method.

    After you recover your files, always do a clean format / install of your machine.

    Here is a little program that will help you register all the files that as been encrypted, could be helping :

    Of course the best way to protect you from this kind of virus is always the same :

    Have a backup. Always. And a good up to date AV.

    1. Troy Smith /

      Hey Dolmac,
      First of all I wanted to thank you about the excellent comment. I haven’t tried your method yet, but I’m going to experiment with it later today – then I’ll share my results. We all hope that it will work and we will be able to recover some (or all) of the files.


    2. Jason Smith /

      Hello again Dolmac,

      Thank you for sharing your experience with us!!!
      I wanted to thank you about the amazing peace of information that you have shared with us.

      Of course, as you have said – always do backupS and don’t keep them in one place. Keep your SpyHunter and AV up-to-date – this should be enough for keeping you out of troubles!!!


  2. hamed /

    hi Troy Smith
    i have a same problem,please share your result, if you could succeed to recover encrypted files please share the name and version of the program that you used.
    thanks dolmac & troy smith

  3. Dolmac /

    here is an article were you can find how cryptowall works and why you can recover files using Delete recovery softwares :

    1. Troy Smith /

      Hey Dolmac,
      thank you once again for the wonderful and useful comment. I’ve tried to duplicate the process, but without success, my first mistake was, that I used a virtual machine, which had a fairly small hard drive and that made the operating system overwrite the delete files almost immediately, although I was able to see the names and the file sizes, I was not able to recover them (we are talking about 30 files – 10 pdf, 10 jpg, 5 docx and 5 xlsx), my second mistake was that I was not quick enough in powering down the virtual machine, which might break the encryption process and leave some untouched originally deleted files on the virtual machine.
      Now what I saw in the above block post, the Mister Wyatt Roersma has managed to recover the deleted files by using the R-Studio software, but this will be only in case when the use has stopped the machine immediately and the operating system or other applications haven’t started overwriting the previously deleted original files (by the malware infection), So the answer of all our problems might be the R-Studio or some other recovery software, which could recover the deleted files, furthermore let’s hope that the developers won’t release a new version, which will wipe out the original file, which will let us with nothing to recover.
      Once again thank you for your comment Dolmac!


  4. william /

    I tried the second method form Dolmac but it fails. Since all the encrypted files are modified in these two days, I can tell a file is encrypted or not by looking the modified time .

    I use Recuva to recover files. I think I almost recover all the files. And the modified time of the recovered files is not the same as the encrypted files. So I think they are not encrypted.
    But I still cannot open the files. Same error message like those encrypted files.

    1. Troy Smith /

      Hey William, I just wanted to make sure that I’ve understood you properly – you have tried to recover the original files using the Recuva software, which had shown that the time/date of the deleted files are just like the originals, but even after recovering these files, you still get the same error message, just like on the encrypted files?! I would suggest to try and open several types of the already recovered files – for example – try .pdf, .Doc, .Docs, .Xls, .Xlsx By doing this, you will be sure that if none of the files opens correctly, you have recovered only already encrypted files, which means that the “decryption service” will be your only option.


      1. william /

        Thanks, Troy. That’s exactly what I mean. I just paid the ransom and it works.

        I just don’t know why the files I recovered are encrypted as the modified time is years ago. All the encrypted files have a modified time in these few days. I think they encrypted the files in recycle bin. And then deleted from recycle bin.

        1. Richard /

          Regarding paying the ransom. How did you get the bitcoins. I’m having hell trying to get those.

        2. Richard /

          Was wondering how did you go about getting the bitcoins? I’m having a tough time getting those.

          1. Troy Smith /

            Hey Richard,
            I have never purchased any crypto-currency at all, so you should ask somebody from the community. I guess you’ll get an answer within few hours – I mean a real answer from a guy, who had paid the bastards the ransom!!!
            I wish you luck and I hope that you’ll get your data back in working order!


      2. Richard /

        Thanks Troy. First time using this site and my reply was to William who it appeared did pay the ransom. I used r-studio to recover all of the deleted files but unfortunately it appears that the virus renamed all of the files with a sequential numbering scheme before deleting them. So while I have all the files I will have to manually rename all of them.

        1. Troy Smith /

          Hello again there,
          The day before yesterday I was testing an identical infection, which had renamed all the files, just before deleting them. So the recovery procedure can take place, but you will never know, which file is which, if there are 100 or 1000 files. I’m not sure, that there is a practical way to restore the original file names, not just looking at them and guessing – this one should be the “Report 2014” or maybe “Report 2014Q1” or …
          I would advise you to take a look at the following link (the F.A.Q. page of R-Studio) and more exact on the point 12 and 13 of the FAQ page:

          (12. When I recovered files, I see a bunch of files called 000456.pdf, 000578.pdf, etc. Does that mean I need to rename them manually to the names I want?

          13. I see folders named as ‘$$$Folder58448’ or so. All they have a red X on them. What does that mean?
          A folder names like ‘$$$Folder58448’ means that the folder itself has not been found on the disk only some references to it. For example, folders ‘My documents’, ‘Work’, ‘Photos’ have been found and all they have one parent folder, which description has not been actually found on the disk, so its name is unknown and therefore presented as ‘$$$Folder58448’. Perhaps the description of such folders was just outside of the scan area – so try to expand the region or scan the entire disk. If it does not help the description of the folder is most likely overwritten.)

          I’m not sure what else can I do for you – just wait for the William’s answer for the bitcoin exchange.


          1. william /

            Hey guys,
            You can go to this website to buy bitcoin:
            This website is one of the fast way to get it considering we have a deadline of 3 days. You will have to register an account in the website. Then you will get a bitcoin address automatically.
            Western Union or cash deposit is fine. You will need to choose the seller and read the relative information. It’s not difficult. Find the seller who has high credit and transfer bitcoin fast.
            Once you get the bitcoin, send it to the baster’s bitcoin address. You will have to tell the guy’s transaction ID.

            What I did has one more step. Once I got bitcoin in, I transfer to my another bitcoin account in, then I transfer the bitcoinf from coinbase to the bastard. I think I can just transfer from to the bastard directly.

            Once your transaction ID is verified by another end (which is about 40minutes to me), you can download a zip file containing a decypher and a key. Then you can recover it.

          2. Troy Smith /

            Hey William,
            Again – thank you very much for the crypto-currency purchasing information. I’m sure, that this is one of the most wanted themes at the moment – with all these crypto ransomware things in the wild … No matter what every body said, It’s not that easy to purchase a crypto currency online/offline. It’s entirely different story, when someone had done it already …


  5. Troy Smith /

    Hey William,
    Can you please let me know something about your operating system. I just need to know if it is Windows Xp,7,8 vista or … I don’t know what it can else be.
    When I have time, I will try to find out what exactly is going on when these crypto-ransom-ware Sh*ts are infecting a system.


    1. william /

      The system is win 7. But I have another victim last year was win xp. I heard that IOS can be infected too.

  6. Cloee /

    those guys that create cryptowall ruin my job and my life all my files in my computer are encrypted OMG I try everything but nothing works please someone help me!!! I don’t have $500 to paid this Friday 15!!!

  7. Mark /

    I have been nailed by cryptowall. I need these files decrypted to run my business. Has anyone found a way out

  8. Patrick /

    I’m using GetDataBack NTFS and am unable to find where Cryptowall stores any deleted files. It did locate two partitions (one was an old one that had been deleted) but all the files I located (there are 1000’s of files on this drive) were encrypted. Where on the drive are the deleted files found when using Rstudio, i.e. a certain folder? Thanks!

    1. Jason Smith /

      Hey Patrick,
      I’m pretty sure that Cryptowall makes the copy of the original file in the original file’s folder, and just then it encrypts the copy of the file and deletes the original one. One more thing – It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
      The only thing I can advise you is to check if Cryptowall has successfully erased the Virtual Shadow Copy Writers (VSS) – sometimes the ransomware cannot remove the VSS writers and this will allow you to recover previous versions of the already encrypted files. You should try to search for previous versions using the Shadow Explorer –

      I wish you the best of luck with this very unpleasant business!


  9. format /

    Hey Jason Smith

    I try to find the delete files with getdata back program i found nothing…
    The Virtual Shadow Copy Writers (VSS) is present on windows xp? i belive isn’ t present on xp… Do you have other idea for windows xp?

    thank you


    1. Jason Smith /

      Hey Mr. Format,

      In Windows XP – no VSS, sorry – you need at least Windows Vista for these guys … For Windows XP – it depends how long have you used the computer before starting the recovery with the undelete programs (like RStudio etc.). I’m running out of ideas … In case I have a new idea I’ll drop you a message!


  10. A victim /

    I am thinking of paying the ransom, but it is important for me to know whether the de-encryption restores the exact same file name. Also, will the original modified date appear, or will the decryption date appear only ? It is important for me to know what is the latest version of a given document…

    1. Mark /

      We did pay the ransom and got our files back. The file name stayed intact. Unless you have a backup the original modified date has already been changed to the date they were encrypted. You can use this date to search for the files that probably have been encrypted to see the total impact. I had roughly 30,000 files encrypted and we did get them all back. From what I can tell your clock doesn’t start ticking until you actually go to “Your home page” Once they see you are interested you have 72 hours to pay the 500 worth of a bit coin if you don’t it jumps to 1000. We used for the purchase and transfer of the bit coin. You can only purchase 250 worth of a bit coin using you credit card so the best bet is to do a wire transfer from your bank under an account you plan to close. Doing a transfer does require a video authorization which we did using an iphone. It took us about 40 hours to actually do the transfer to the hackers, then we waited another 12 hours for the decrypt key which will appear as a download on your personal home page. Once we downloaded the program you select one drive letter at a time and it decrypts the files. The file modified date will be the date and time you decrypt them. The decryption process is slow what took a few hours to encrypt took a few days to decrypt. By the way you will need to transfer more than 500 because you will need to pay service fees and transfer fees, I think we ended up transferring about 530 to cover everything. Good Luck it’s a horrible experience to go through.

      1. Mark /

        I just need to clarify one point in my last post. It did not take us 40 hours to transfer the funds what took us 40 hours was setting up our account, doing the wire transfer and purchasing of the bit coin. Sending it only took a minute and then we waiting for the key which cam about 12 hours later

        1. A victim /

          Dear Mark,

          Thank you so much for taking the time to respond – twice !

          I had 1 question – did you try the “1 free file” option to test the veracity/ reliability of the key ?

          I did, and got a “Key initialization error” response.

          I then sent their “Support” an e-mail a question regarding the foregoing, but no response until now.

          My computer guys tell me that this means there is no one on the other end – either they fled or were busted.

          Obviously, of the 2 choices, I would hope they were busted.

          But right now I have no idea what is going on.

          About when did you go through your ordeal ? I week ago ? I month ago ?

          Anyone else have this problem ?

          Thanks again.

      2. Rob /

        Hey, could you please send me the decryption software that you received when you paid the randsom? (I imagine a .exe, a .key or something, and a readme text), let me know what you received. I’d like to find the key (even though it will not work for mine), and have you do a search for a specific key if you would. If I could find it on the local computer we’d be good. Put it in a password protected zip file if you want, just use ‘password’. Please don’t send me any personal files, I don’t want to be responsible, just the decryptor you received from these bastards.

        This is a totally voluntary request. I’m not trying to ‘scam’ you, and you can tell me ‘no’ or to ‘go to hell’ if you want, I won’t be crushed 🙂

        [email protected]

  11. format /

    Hi Jason Smith

    Thank you for the answer, but i think the only idea is format the computer, i did a full backup and i wait soon or later maybe cryptowall will be decrypt! i mean a site like


  12. Sandy T /

    I have been infected with the cryptowall – as far as I can determine it is removed from my XP computer – however all of my PDF data files which is a huge amount (1,000 or better) will not open – computer hard drive – 2 external backup drives and also online backup —

    I believe I am out of luck except to pay the ransom amount

    Any suggestions or resolutions???


    1. Jason Smith /

      Hello Sandy,

      Thank you for your question! I think you should ask your online backup solution for help – they may keep file versioning – which means that they keep every version of your file for the past 10-20 days or so. This means that they should have a version of your files, before the Cryptowall encryption. I think every online backup should keep a snapshot every time you save a file. This means that probably your online backup is the only hope for your files (except paying the ransom of course). Check out the link below:

      I wish you the best of luck for your files!


  13. Carol Wilson /

    I paid the $500 and indeed got my files decrypted, but some other damage has been done to my computer. I am unable to use the files on software such as MS Word or Wordperfect (Adobe Reader works okay and Quicken and a few others). I am further unable to reload the software from disk due to all sorts of errors from “access denied” to “insufficient memory.” Anybody have any idea what was changed that would cause this? Also am unable to update my virus protection and some other downloads are prevented.

  14. odettejuls /

    anybody use the ? for me im not sure if this is working or not.

    I tried to upload the the infected files, actually this file i copied from the infected pc to my pc which is not infected and uploaded to the above website.

  15. Jake /

    I tested this and it work. I got all my files back. first you need to remove cryptowall malware. Search for ways online. In case you still have them in your computer, so even you recovered files, doesn’t mean they won’t get ecryp again.

    second, you need this ShadowExplorer program. you can download it

    After installed it, on top left corner of the program, select your hard drive, and time (the time you know your file were still working fine). under the folder, select your files, right click it, and click “export” to your new folder. There you go, file recovered. But files only recovered to the time you selected that were working, not during or after they got encrypted. So, you might lose a few data that you input while malware were active. However, best of all, you got most of them back.

    1. Jason Smith /

      Hello Jake,
      thank you for your comment!


  16. Jomacapa /

    Thank you Jake worked for me

    1. Jason Smith /

      Hey Jomacapa,
      We are very glad to hear that! If you have any further questions or concerns, please don’t hesitate to ask us!

      best regards

  17. anthony /

    guys, i need help here…
    my customer notebook has been infected by this cryptowall virus…
    im in trouble to get the unencrypted files back…
    my problems now:

    1.shadow copies deleted by the cryptowall
    2.formatted pc
    3.having trouble to get the shadow copies back

    need reply asap 🙁

    1. Jason Smith /

      Hey Anthony,
      I’m not sure that you will be able to get these files back. basically with the latest ransomware infection you need either a backup solution or the shadow copies/previous file versions. If you don’t have neither of them, you don’t have any chance. I would advise you o try some recovery software like R-Studio – you will need the shadow copies, however I’m not sure that they would recover after HDD format! I wish you the best of luck – you will need it!


      1. anthony /

        well i knew its kinda hard in my situation now…. if totally can’t recover means im out of luck to recover the datas back…

        1. Jason Smith /

          now even if you pay the ransom and get the file-decryptor and the decryption keys, you don’t have the encrypted stuff. If you need the files that much and the computer was not used after the hdd format – you have a pretty good chance of getting at least the encrypted content back, however if you have already installed something on it – all traces are gone and you won’t be able to recover much.


          1. Paul /

            Well I didn’t reformat hard drive but did run eset antivirus, spyhunter, avg and malware bytes so not sure if the screwed it up. My IT person wants to copy the reg keys on server where the shared drive is and try the decryptor again. I hope it works.

  18. paul /

    I recently got infected with the cryptowall 3.0 and paid the ransom and they sent me the decryptor 3.0 I opened it and it seemed as though it worked on dbf files but did not restore my pdf’s, docs, xls, pst(outlook email) and qbw files. Anyone know what I did wrong? Could it be something with my registry files? Or is that unrelated? I did run some antivirus software for the infected filed between the time it occurred and the time I paid the ransom. Any info or advise would be greatly appreciated. Thanks!

    1. Jason Smith /

      Hey Paul,
      If you were able to decrypt the .dbf files this means, that the key is the right one, so there should be something else wrong with the decryption program. Have you tried the decryptor using the safe-mode or safe-mode command prompt?! I’m not sure what’s wrong, but as I said – if it had worked for one file, it should work for all the others … Maybe some application is trying to prevent access to these file types only … that’s why I’ve asked you about the safe-mode.


      1. Paul /

        I have not tried safe mode yet. Will try that next and let you know results.

  19. Robert /

    We got hit by CryptoWall 3.0. It came into our system through on of our staff and then went after the server. As soon as we found out, we shut down the unit and that seemed to stop the encryption on the server (it got some very important files but not them all).
    We cleaned up the contaminated machine and didn’t pay the ransom. Now we have a clean machine and no real way to access the ransom, without reinfecting the entire system again.

    1. Jason Smith /

      Hey Robert,
      Even if you infect the your system again and then pay the ransom, you will get the key for latest infection encryption and not for the first one. The keys for the second infection encryption will be different then these used in the first attempt.


    2. Paul /

      Unfortunately I did have to pay the ransom but they did send me the decryptor and I got all my files back. It was my fault for not keeping a back up of those files. The issue is that the ransom note they send is a link to my specific file they infected. I have contacted them by clicking on a support tab they provide and they have responded each time.

      1. Jason Smith /

        Hey Paul,

        We are very sorry to head that you have to pay for your data, but the good news is that – you’ve got your data back!
        It seems that the cyber-criminals made out of it an entire business (support ?!) !!! I think that is it time for the governments to act very hard!
        Unfortunately almost 90% of all the people and companies I personally know do not use backup solution. Only after some very nasty hard drive crash or ransomware infection they decide that it’s worth.
        We constantly advise our customers to use a reliable backup solution. Using cloud storage is also a solution, because of the daily backups, although you might not get the latest version of your file, you will get the previous day version, which is in most cases very good news!

        Thank you for all the information!


  20. Kathy Kirk /

    JASON!!!Help!! lol
    I just paid the ransom, note on computer that payment made successfully; Download the archive “” and unzip it to any folder and then run the file decrypt.exe then follow the instructions to decrypt files. Turn off or remove your antivirus before downloading decoder. antivirus can prevent you to download and decrypt your files. I had my computer guy do a “backup of the decrypted files.” Did purchase 1 T Western Digital backup Can you please explainstep by step the process to decrypt, as well as do a backup immediately after decryption. I have heard even after decrypt the files are still “virused” and if one tried to remove the virus, your files will lock up again. Is their a way for me to find the “decryption key” ? and back that up as well. I certainly do not want to make a mistake on this. I just spent $500 and am happy I might be recovering data. Also note, I do not believe currently I have a”zip program” I am not an idiot, but some of this is really complicated lol

    1. Jason Smith /

      Hey Kathy,
      I seems that you still have a lot of work. Of course I can help you with it, but I will also need some time. Let us arrange a meeting this weekend?! Just let me know when you are available!? One more thing – do not touch the encrypted computer – turn it off and let it stay down – if you would like my help of course!


  21. Kathy Kirk /

    Also to ANYONE PAYING THE RANSOM…..If this goes off without a hitch, I will then be certain I can say, at least these hackers “have a heart.” lol Business as usual.
    To purchase Bitcoins.. go to coin and open a account. Dont even think of using someone else’s name or identity, this will trip you up. They will give you a laundry list of what you have to do lol. To verify your identity you have to ONLY -“upload front and back of your drivers license to their webiste. NO EMAILS. Thats a problem if your computer is locked up. I took pics with camera, uploaded sim to friends computer and then uploaded to their web. They also want a picture of YOUR OUTSIDE – IN SUNLIGHT, HEAD SHOT LIKE A PASSPORT PHOTO Holding your D.License next to your face. So they can compare them ? Next they will have a listing of prices. Cheapest – Do all of this ASAP. Take CASH To local Bank of America Branch. You Will be making a cash deposit in a account in New York, Of Course they will give you their account number. On the receipt you have to put your Order Number. (You are able to start an order, create the number) and nothing is done until they get their money. AND THEY ARE MUCH SLOWER THAN THEY SAY. I put money in their acct on Sat Morning. I was not “fully verified until TUesday 5 pm. After you are verified you will get an email confirmation with a link back to coin cafe. Follow the link, make sure you have PREVIOUSLY SIGNED ON IN ANOTHER WINDOW AND MINIMIZED FIRST! Once at the link you can send your bitcoins. Should be noted I purchased what I thought was $500 and bitcoiins and between Sat and the time I was verified on Tues price of bitcoins WENT UP.. Meaning when I went to send $500 Of Course CoinCafe will tell you you dont have enough money in the account. I did send what I had which was about $490 You will then get a transaction ID. but you do not get that till after you have sent. The hackers have a (support) area you can enter the capcha, and send messages. I did this constantly lol. when you have your transaction id you can then go back to the support page and let them know the transaction id. MAKE SURE you take pics of the screens with your Cellphone to go back to refer to. If you loose your password or sign on you are screwed. Same with with hackers website which is over 20 entries. Good Luck and pray for me, at least now they have sent me the decryption. Also if you need more time, they extended me a whole week, when I let them know I had deposited money. They want the money, not your files. They are actually human lol

  22. Nova /

    Can someone please advise me, if I have downloaded Malwarebytes and scanned and deleted (hopefully) the Cryptowall virus. I obviously still can’t open any of my files. If I were to recover my laptop to the previous week will this help me recover my files or is this useless?

    1. Jason Smith /

      Hello Nova,

      Welcome to If you can recover your system to the last weeks state – this will definitely recover your files. You might loose some files, which were created this week, but believe me – this is the best solution, if you don’t want to pay the $500 ransom. If you recover your system to a previous version, your files should be there not encrypted.

      Jason Smith

  23. Max /

    Good morning Everyone,

    Yep, another victim of those effing biiistards!!!!

    Been reading a lot about what to do (unfortunately, not many options in my case!), but what I need to know is IF (once the virus has been eradicated) I need to delete those two “documents” left in each folder (and sub-folder) that has been infected?

    I’m talking about the HELP_DECRYPT PNG and the HELP_DECRYPT url.

    I have little hope of getting my files “decrypted” but in the meantime, I want to make sure that I’m not keeping any residual of that virus?
    I have of course run my AV but I still see those “items” in each folder?

    Many thanks in advance for your advice 🙂

    Kind Regards,


  24. SSmith /

    So I don’t understand why they can’t catch these guys if the are on the receiving end of these funds!! Above it said, ” Take CASH To local Bank of America Branch. You Will be making a cash deposit in a account in New York, Of Course they will give you their account number. ” – Is this the hackers’ account number? If so, why can’t they catch them when they go to access the funds in this account? and if they are responding to some forum isn’t there some way to get their IP addy and track them down? I don’t understand why they are getting away with this for so long. I have been infected with this and don’t have the funds to get my files back. I’m devastated.

  25. Ryan /

    I got hit with cryptowall 3.0 around a month ago, after doing some research and finding some peopoe paid the ransome and still didnt get their key I decided not to pay. I have ky entire life on my laptop and every files been encrypted even my music which again I have over 20 years worth of my favourite songs stored! I went back on my laptop today and after saving some money decided at worst case I will pay the ransom but when i clicked on the link to my personal page it said the link was no longer available? Is there still a way I can get in touch with cryptowall to get my files or is there any hope that in the next few months a ‘fix’ or decrypter will be released? I have found that cryptoLocker had a fix and foxit and fireeye came together to help provide keys and everyone for their files back for free so was wandering if that would be the case for this cryptowall too?



  26. Jessica /

    I was infected with the cryptowall 3.0 just a couple of days ago. We have tried all the suggestion on getting my files back. We lost over 8,000 pictures of our children. We are going to pay the ransom and want to know if there is a lot of success with it. I have tried to decrypt the 1 file for free and I keep getting an error message that says “you uploaded don’t own file” I am not sure what that means but if that is not working does that mean that my files can not be decrypted? Please help.

  27. Jessica /

    Kathy Kirk
    Did you actually get someone to respond to you on the support page? How long did it take them to confirm and send you the link to decrypt?

  28. Dan /

    Hey everyone.

    I just paid and, as stated, they provided me with the to take care of the decryption the files.

    Now… the problem is, the decryption program itself is infected with the encryption virus!

    Seems a bit of a catch22 to me.

    An ideas anyone??

  29. Debra /

    My laptop had this virus but my IT resource removed it and all the associated files. If I want to pay the ransom to decrypt my files, how to I now do that since their url/link file is no longer on my laptop?

  30. Tuomo /

    hi, got also cryptowall 3.0 and thinking about paying the ransom… I got one idea that worked quite fine for me. i found CGS sucurity free program here and downloaded it to my computer (windows xp) here

    i got some photos back !! (i had to buy new external storage to make sure theres no virus. to delete the virus i bought a spyhunter 4) Now i searched all my memory sticks and cd merory cards from my camera and recovered photos from them.. Although i had several times emptied sd cards (and formatted them also) the system was able to recover a huge amount of my photos… im still recovering photos but i feel that i can recover most of my photos and for rest photos i think i have to pay… hopefully this helps someone

    1. Jason Smith /

      Hey Tuomo,
      I’m very glad that someone has salvaged at least a portion of what these cyber crooks have stolen.


  31. Cassie /

    Hi Tuomo.

    For clarification, were you able to recover the encrypted files, or did you seek to find old versions of your files from other external sources?

    Like you, I was just recently infected, and I have received help from McAfee to remove the virus, but now I still do not have access to all of my files, (e.g., word, Powerpoint, excel, pdf, jpg to name a few). After downloading “cgsecurity”, and running that program, were you able to regain access to any of your files. Thank you for the additional information. I am devastated and petrified that whatever I do will make matters worse, and not result in the restoration of my files, or access to them. Can anyone recommend a technical support organization that can help me to navigate my options, and literally step me through the process? Please help me. Thank you very much.

  32. run aground /

    We took a hit from Cryptowall 3.0 last week. We’re a very small charity with no income and they infected 8 years of our work. Have run spyhunter and malbits and cleaned out our system, but can’t get anything decrypted or restored using system restore on our old XP OS…Help?

    1. Jason Smith /

      Hey “Run Aground”,
      I’m sorry to hear that your work is gone.
      Have you tried to use one of those tools mentioned in the publication or underneath in comments. There are people, reporting that they managed to salvage some of their work! I would recommend you to give it a try!

      I hope, some of them to work for you!


  33. Ray /

    Well, those that asked for help and willing to pay ransom for files back…….. How about read back the comment that was post here oct 21.2014 by Jake. See if that can help your files. It did on mine and many people.

  34. DA /

    I was hacked by CryptoWall 3.0 6 days ago. I regularly did backups but I left the backup external HD connected to my laptop so the encryption virus ruined my backup also. Everything I do is on my laptop including a spreadsheet (password protected) with all my passwords.
    I paid Norton $100 to clear my computer of the virus, it took them close to 5 hours.
    I was desperate so paid the ransom. The criminals sent me the decrypt key and after running it several times I thought I had decrypted everything. So I deleted the encrypted files. Turns out I cannot open all the files and photos now, I get a message that the files are corrupted and they don’t recognize the format or extension. I contacted the criminals via “support” and they said they would check into the problem but they never got back to me.
    Has anyone had the same problem and, if so, did they figure out how to read the corrupted files?

    1. Ryan /

      DA, where is the “support” information to contact them? i would like to pay the ransom but the link has expired so need to contact them to see if it is still payable to get the decrypter tool?


  35. Paul Gustafson /

    I Too just got affected by this bullshit ransom, ive had spyhunter totally delete all this ransom malware and now in process of figuring out how im gonna delete this damn encryption

    any ideas?

    1. Jason Smith /

      Hello Paul,

      We’re very sorry to hear that your computer has been infected by this ransomware.
      We’ve wrote a post for users like you, which try to recover their documents, however this is a very complicated infection and usually the recovery’s success rate is very low.
      If you’ve already tried the ShadowCopy and Previous-Version’s recovery from the post above, there is not much that you can do – only to search for your backups online or offline.
      If however some succeeds in capturing the cyber criminals data servers like the last year, there is a high chance of success, because they release the encryption keys to the public – at least last year they did it!


Leave a Reply

BOT Check: * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.