View All R&D Articles

CryptoWall Ransomware Infection And Decryption Services

May 12, 2016

One of the most successful types of ransomware, CryptoWall, is a malicious piece of software that automatically encrypts a victim’s files, rendering them unusable. The victim is then presented with a message from the software’s creators; to restore the encrypted files, the victim must pay a ransom in bitcoin, an untraceable currency

If you have encountered a CryptoWall variant, Datarecovery.com can help. We offer services to help you decrypt files, protect other networked computers, and recover from any ransomware infection. Call us at 1-800-237-4200 to speak with a ransomware specialist or read the information below to understand how CryptoWall works.

What is CryptoWall Ransomware (And How Does It Work)?

CryptoWall has several notable attributes:

  • The ransomware affects all storage media attached to the system, not just the primary media. This means that if you have a flash drive or external hard drive plugged into your computer when CryptoWall executes, files matching the ransomware’s target parameters will be encrypted.
  • Ransom notes are distributed in all folders that contain encrypted files.
  • In addition to encrypting files, newer versions of CryptoWall encrypt file names.
  • CryptoWall also searches for bitcoin wallets and attempts to steal them outright.
  • The malware deletes volume shadow copies on the infected drive, preventing you from restoring to an earlier date.
  • Several other ransomware programs have similar names (including CryptoLocker), and as CryptoWall has become popular, it has inspired several clones. This can make diagnosis confusing; we recommend obtaining a professional evaluation if you believe that your system is infected with a CryptoWall variant.

The two most common pieces of software legitimately bearing the CryptoWall name are CryptoWall 2.0 and CryptoWall 3.0. Some of the differences between these variants are explained below.

How Does CryptoWall Ransomware Infect My System?

CryptoWall was first introduced in 2014 and quickly became a significant threat. Early versions delivered their payloads through a browser exploit kit.

For newer variants, the payload may be delivered by a CHM file, usually in a RAR archive. A victim will receive an email that asks to “open the attachment and follow the instructions.” There are no instructions, of course; opening the file will install the ransomware. To entice users to take the necessary actions, the malware’s creators often take steps to make the email seem important, often impersonating a bank or other reputable business.

Many antivirus programs are unable to block CryptoWall variants. CryptoWall may also use JavaScript payload, falsely presented as a JPG file.

CryptoWall will target a variety of files, including (but not necessarily limited to):

DTD, PAS, RAW, asp, ass, ava, avi, bay, bmp, c, cer, cpp, crt, cs, db, der, doc, eps, gif, h, hpp, jpg, js, key, lua, m, mp3, mpg, msg, obj, odt, pdb, pdf, pem, pl, png, ppt, ps, py, rm., rtf, sql, swf, tex, txt, wb2, wpd, xls

When a file is infected, it is completely unusable.

What Ransom Payment Does CryptoWall Demand for Decrypting Files?

CryptoWall demands a ransom after it has completed its encryption process. It presents the infected user with a message, shown below, called “DECRYPT_INSTRUCTIONS.” This is presented in a text file, a PNG image, and via a web browser.

The malware may present this message:

“This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.”

As is the case with most ransomware applications, CryptoWall demands payment in bitcoin, an untraceable currency. The typical ransom is $500 USD, but the CryptoWall ransom can range from $200-5,000. When the ransom is paid, CryptoWall presents instructions through a website accessible on a Tor browser (installed by the malware).

To prove that the decryption services work, CryptoWall’s creators allow victims to upload one encrypted file each. This “free” decryption is tied to the user’s unique ID, so victims cannot exploit this service to recover additional files.

Older versions used RSA-2048 encryption, but newer variants use AES-256 to encrypt files, then encrypt the AES-256 key with a server-generated unique public key. Essentially, this means that newer versions of CryptoWall are unbreakable with brute-force attacks.

Can I Disable CryptoWall Ransomware Encryption?

CryptoWall decryption (without the key) is considered practically impossible via standard methods.  However, some older CryptoWall versions were cracked.

If you have encountered CryptoWall ransomware, immediately turn off the affected machine and contact our ransomware recovery experts. We can help you evaluate available options; our primary goal is to restore your files without paying a ransom, but if necessary, we can help you safely organize a payment. We can also help you take appropriate steps to protect the rest of your computer network and to prevent additional successful malware attacks. Call 1-800-237-4200 to get started or for more information.