How to Recover Files Encrypted by CryptoWall (CryptoDefense)
What is CryptoWall/CryptoDefense:
Threat Classification: Ransomware
CryptoWall is the newest version of CryptoDefense ransomware. Similar to Cryptorbit, HowDecrypt and CryptoLocker. CryptoWall will target computers running Windows operating systems. It was released by the developers of CryptoDefense in the end of April. CryptoWall is almost identical to its predecessor and will fully encrypt your data. Unfortunately, as of now, there is no chance of decrypting the files encrypted by CryptoWall.
When activated, CryptoWall encrypts certain types of files stored on your local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers. CryptoWall leaves access database files untouched, but does encrypt .doc, .xls, and .bmp, .txt, images and videos.
CryptoWall will create DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.url , DECRYPT_INSTRUCTION.html, and a shortcut to DECRYPT_INSTRUCTION.html in every folder that a file was encrypted. These files contain instructions on how to pay the ransom. Furthermore, CryptoWall will create a HKCU\Software\<unique ID>\ registry key and will store configuration information in it. Moreover, all encrypted files will be listed under HKCU\Software\<unique ID>\PROTECTED key. The malware then displays a ransom message which offers to decrypt the data for $500/500EUR and after a few days, the cost will increase to $1000/1000EUR. If the payment is not made by the stated deadline, CryptoWall threatens to delete the private key.
If you notice that you are infected, we at MalwareKillers.com recommend you to download SpyHunter Malware Security Suite from our web page: https://www.malwarekillers.com/download-page/in order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of CryptoWall (learn how to in our article HERE), you can try to recover your files using the limited methods below:
How to Recover Files Encrypted by CryptoWall:
*Please note that, as of now, there is no method of decrypting the files encrypted by CryptoWall. The infection may also delete all your Shadow Volume Copies. The only certain way to restore your files is by using a backup copy.
You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files. This method may not work, as CryptoWall attempts to clear your shadow copies when it is installed.
1. How to restore files using the Shadow Copy Service:
Method 1. Using native Windows Previous Versions:
*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.
1. Right click on the corrupted file and select properties from the drop-down menu;
2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);
3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.
This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.
Method 2. Using Shadow Explorer:
You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link: http://www.shadowexplorer.com/downloads.html
When you download and run the program, you will see, on the left side, a list of your available drives. Next to it, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.
To successfully remove and learn more about the newest ransomware CryptoWall, please read our article HERE.
To successfully remove and learn more about the ransomware CryptoDefense, please read our article HERE.
To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.
To learn how to recover your files encrypted by older ransomware like CryptoDefense, please read our article HERE.
To learn how to recover your files encrypted by older ransomware like Cryptorbit or HowDecrypt, please read our article HERE.
CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ – external link from Bleeping Computer, please read the article HERE.