The innate human desire to keep personal things intact is what the CryptoWall 3.0 ransomware skillfully manipulates to its own advantage. Its highly disruptive tactic affects the files stored on one’s computer. The virus encrypts the victim’s data with RSA-2048 standard, which makes decryption-related workarounds close to unfeasible, at least within the time span provided by the infection, that is, 168 hours (7 days). The only applicable file restoration method within the framework of said algorithm implies the availability of the private key, which is unfortunately kept on a criminals-run server and can only be provided after a ransom of 500 USD is paid. That’s approximately the equivalent of 2.17 Bitcoins, which is the payment method the fraudsters endorse in this case. That’s the story in a nutshell, so let’s get more down-to-earth and scrutinize the specifications of this nasty threat.
CryptoWall 3.0, preceded by version 2.0, went live around mid-January 2015, and it’s a refined ransomware variant in a number of ways. First off, its authors gave up the previously leveraged technique of incorporating exploits into the dropper – instead, the proliferation now relies on exploit kits. This means bigger spreading opportunities and more privileges that can potentially be gained on the targeted machine. Additionally, version 3.0 has gotten an expanded list of Tor gateways used for communicating with the command and control server. The latter Tor-related feature is the bad guys’ fairly smart move towards anonymity. For the victim, it means that they need to install Tor Browser before they can start following the instructions.
Once this ransomware gets in without knocking, it commences a scan in the background to find the files with popular extensions on all PC drives. Everything that gets found is encrypted with public key which is part of the RSA-2048 algorithm. In the meanwhile, again, the private key is generated and stored outside of the computer, and retrieving it is a matter of submitting the amount of money that’s being extorted. Having coped with encrypting the data, the virus displays a file named HELP_DECRYPT (.TXT and .HTML) containing basic instructions on further steps to be followed. The file also has several links to “your personal home page” in it, where more specific details are indicated. Those are Web2Tor gateways whose URLs follow the pattern of ‘paytoc4gtpn5cz12.torforall.com/
The ransom size doubles unless paid within 7 days and will then amount to 1000 USD. Obviously, none of these sums is suitable to whoever got infected, but what is there to be done? Some of the encrypted files might be of very high importance to the user. If CryptoWall 3.0 happens to have contaminated your computer, view the information below to learn your options for restoring files and removing the ransomware.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that CryptoWall 3.0 applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that CryptoWall erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called ShadowExplorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by CryptoWall 3.0 is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the CryptoWall virus left, have your computer scanned with a reliable malware security suite.