Fandom

Malware Wiki

Cryptowall

1,319pages on
this wiki
Add New Page
Comments0 Share

Info Edit

Cryptowall is a highly destructive piece of ransomware that takes your data hostage with the RSA-2048 decryption.

In most cases, the virus is downloaded by the user. However, sometimes the victim looks up some website for games, movies, or just something that is breached and infected with ransomware, so you should not go to sites you do not trust.

Do not download the file. If downloaded, remove it instantly.

Payload Edit

It works the same way as Cryptolocker does. Cryptowall takes any Microsoft Office document, and turns it into jumbled text and random HTML code. If Cryptowall is successfully executed, three files will automatically execute and copy themselves throughout your PC. The file name for the HTML document, TXT file, and PNG image is completely the same. The name for each file reads "HELP_YOUR_FILES" and as it spreads throughout the computer, it opens the files automatically and makes them run at startup. Cryptowall also generates a private key, like Cryptolocker does. If the time is not met for the decryption key, it will offer to decrypt the data at a higher price. Cryptowall does something that Cryptolocker doesn't do. Instead of downloading a malicious file to decrypt the data the HELP_YOUR_FILES.html document gives you a personal website to decrypt the data, just like the Locky virus. But they are alike in another way: Cryptowall and Cryptolocker give you the same payment technique, using BitCoin or Moneypak. If the deadline is met or if the user does the money payment early, the time for the private key destruction will be killed during time of activation. If the serial is incorrect, Cryptowall will split the destruction of your private key in half, and if it is correct it will start decrypting the files. Once Cryptowall is done decrypting the files, you can use your computer normally. The files in the startup folder will be removed if decryption is successful.

Removal guide Edit

  1. Reboot your computer in Safe Mode with networking.
  2. Download Malwarebytes Anti-Malware to remove some files that Cryptowall leaves.
  3. Use the Run app and enter the command "regedit" and find the Cryptowall registry files. Once done, go back into Malwarebytes to remove the files in the startup folder. Once done, restart your computer. Your computer should be back to normal.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.