FANDOM


Cryptowall is a highly destructive piece of ransomware on Microsoft Windows that takes the user's data hostage with the RSA-2048 decryption.

In most cases, the virus is downloaded by the user. However, sometimes the victim looks up some website for games, movies, or just something that is breached and infected with ransomware, so the user should not go to sites that they do not trust.

Payload

Cryptowall takes any Microsoft Office document, and turns it into jumbled text and random HTML code. If Cryptowall is successfully executed, three files will automatically execute and copy themselves throughout your PC. The file name for the HTML document, TXT file, and PNG image is completely the same. The name for each file reads "HELP_YOUR_FILES" and as it spreads throughout the computer, it opens the files automatically and makes them run at startup. Cryptowall also generates a private key, like Cryptolocker does. If the time is not met for the decryption key, it will offer to decrypt the data at a higher price. Cryptowall does something that Cryptolocker doesn't do. Instead of downloading a malicious file to decrypt the data the HELP_YOUR_FILES.html document gives you a personal website to decrypt the data, just like the Locky virus. But they are alike in another way: Cryptowall and Cryptolocker give you the same payment technique, using BitCoin or Moneypak. If the deadline is met or if the user does the money payment early, the time for the private key destruction will be killed during time of activation. If the serial is incorrect, Cryptowall will split the destruction of your private key in half, and if it is correct it will start decrypting the files. Once Cryptowall is done decrypting the files, you can use your computer normally. The files in the startup folder will be removed if decryption is successful.

Removal guide

  1. Shut down and reboot the computer in Safe Mode with networking.
  2. Download an antivirus such as Malwarebytes Anti-Malware to remove some files that Cryptowall leaves.
  3. Use the Run app and enter the command "regedit" and find the Cryptowall registry files. Once done, go back into Malwarebytes to remove the files in the startup folder. Once done, restart the computer. The computer should be back to normal.