Remove Cryptowall & Restore Files
A new piece of pesky malware is making its rounds. Often identified as “Trojan.Cryptowall”, it is a Trojan that encrypts your computer files making them inaccessible. It then requires payment to have the files decrypted and to remove Cryptowall.
The threat typically gets installed by clicking links in spam emails, via exploit kits hosted through malicious ads or compromised sites, or by other malware.
This is a nasty piece of malware. As always, we recommend users to be very careful what links they click on and to avoid suspicious websites. In about 30% of cases we have been able to successfully restore access to some or all of users’ files after removing Cryptowall. The remaining option is a system restore to remove the treat.
We do not recommend paying the ransom as directed by Cryptowall. There is no guarantee that the scammer will give you a decryption key to unlock your files, and the threat still remains. If your computer has been taken over by this frustrating piece of malware, give us a call or bring in your computer for us to take a look. We are glad to help.
Computers Plus Repair in Lexington, KY: (859) 523-5355
More Detailed Info on Cryptowall
Once Cryptowall is installed on your computer, it creates several registry entries to store the path of the encrypted files and the program runs each time the computer restarts. It encrypts files with certain extensions on the computer and creates separate files with directions on how to allegedly acquire the decryption code.
This threat attempts to convince you to pay money to get the passkey to free your files. It uses a number of different schemes to encourage you to pay the ransom. Of course after the scammer gets your money, he is under no obligation to release your files.
Another variation of Cryptowall is termed Trojan Cryptodefense. Cryptolocker is a similar piece of malware.
Means of Infection
In Cryptowall spam campaigns, the email will usually contain an attachment to an infected file along with a message that tries to coerce the user to download the file. The spam email might say the attachment is an purchase invoice, an undelivered package reminder, or a fax alert. If you open the attachment, your computer will promptly be infected with Trojan.Cryptowall or a variation of it.
It can also be transferred through exploit kits on compromised websites or malicious ads. The Rig exploit kit and the Nuclear exploit kit are two kits that have been used to compromise users’ computers with Cryptowall.
Cryptowall was designed to prevent you from opening your files so that it could attempt to require payment in order to regain access. It does this by encrypting a large number of files on the computer with public/private key encryption using a very strong 617 digit or 2048-bit RSA key.
Once it has your files on lockdown, Cryptowall displays a ransom message via text document or HTML page. It may also warn that the decryption key will be deleted after a certain amount of time in order to pressure the you into paying quicker. The scammer may demand hundreds of dollars, and the amount may increase after a certain amount of days.
The message will then give a link to a website where the scammer wishes to take payment. These sites are usually hosted on the anonymous Tor network, which scammers often use to hide their identity. The threat has asked the user to install a Tor network browser in order to access the site, but newer versions of the threat do not require the user to do this. The user may have to pay using an anonymous currency such as bitcoin to help shield the attacker’s identity.
Even if you pay the ransom, there is of course no guarantee that the scammer will give you a decryption key to unlock the files.