Even if you don’t care much about what happens on Internet world every day, you should hear about this name: CryptoWall once in your life when you read news online, or at least you know what ransomware is. Ransomware is primarily a type of malware that have been used by vicious cyber hackers as a accustomed tool to extort money from victims by unexpectedly encrypting all data that saved on their systems and demanding a ransom in return for the private key to decode their data. CryptoWall is one of the members of Ransomware family and its 4th generation was just released recently. The previous version just released in January this year. Far from being hit and limited, it seems that this ransomware has been running wild without restraint in a relatively fast speed so that the malware developers are able to develop a successor within a year.
According to researchers at Heimdal Security and BitDefender, the newest version of the CryptoWall ransomware becomes more difficult to deal with. Even a member of the FBI, Joseph Bonavolonta, the assistant special agent in charge of the Cyber and Counterintelligence Program in the FBI’s Boston office has said that the ransomware is that good and to be honest, they often advise people just to pay the ransom. We have to admit it indeed is the easiest way to get the data back if the files on our hard drive have been encrypted by cyber crooks, but I think it should be done only as a last option. Though this ransomware has been reported as the fourth version of CryptoWall, there is no any direct evidence that it is created by the same authors of its previous versions. No matter who the authors are, they have add some new features to CryptoWall 4.0 which makes it more challenging for cyber security researchers to analyze it and find an effective method to decrypt the data without paying a ransom.
If your files are encrypted by CryptoWall 4.0 Ransomware and you desperately need help to solve this problem, please navigate directly to the solutions or just download the security software to get rid of the ransomware:
How CryptoWall 4.0 encrypts files stored on users’ computers?
Acting as other modern malware, CryptoWall 4.0 usually get distributed via some common channels like compromised E-mail, drive-by download and unsecure web link. The data reveal that in most cases victims received infected E-mail before their data locked by the ransomware. When unsuspicious users download and open the attachment of the spam E-mail, they will not realize the truth that they are introducing dangerous programs to their computers. The attachment of a spam E-mail looks no difference with general files. It can be a picture, a text file, a zipped file or any type of regular programs that will not cause users’ suspicion, but in fact it could be the Java script file that can download an executable file and save it to the Windows %Temp% folder behind the screen when being executed. This ransomware targets at the computer with Windows Operating System and can penetrate into the system through various different means, so users can’t be too careful while doing browsing on the Internet.
Similar to its predecessor, as to the communications with the Command & Control Servers (C&C server), CryptoWall 4.0 still adopts using RC4 encryption. The C&C server list is decrypted by using a short hard-coded key, while the encrypted message will be sent to the server via the RC4 key generated by the ransomware. To identify victims specifically, it also follow the techniques it used before to create a victim’s unique identifier from the MD5 hash of the detailed information about a certain computer system such as the computer’s name, volume serial number, information about the processor, and operating system version. Just like its predecessors, when CryptoWall 4.0 is being installed on the targeted PC, it will inject itself into Explorer.exe which is supposed to be a task-based file to manage system. It will try all means to seriously interfere with users’ attempt that restoring the files from backup. The System Restore feature may get disabled, Volume Shadow Copy Service can be unable to use, and the Windows Boot Configuration Data file can be missing or unreadable. Restoring the computer from a system image backup is the only hope to access the file except giving the money to hackers, so the ransomware will spare no effort to prevent this from happening. After that, it will embed itself into svchost.exe to disturb some functions, for example, Windows Defender and encrypt the data on the computer system, which means that all the data that can be view currently on the PC, including your local drives, portable hard drive, and mapped network drives will be affected once the PC is compromised by CryptoWall 4.0. As long as it gets installed and finishes encrypting all files it will display the ransom notes to inform the victim what happened and how to pay the ransom.
The name of new ransom note is changed from “HELP_DECRYPT” to “HELP_YOUR_FILES”. Comparing with the previous version, the content is not as threatening as before and even adds more guidance and irony. The ransom note will be displayed in three formats: HTML, TXT and PNG. The arrogant message that congratulates the victim for becoming part of the large Cryptowall community even is presented with the underline on Cryptowall. Following the congratulations are the questions that users of infected computers may ask after they find they are unable to access their data and any file on the computer. The cyber criminals who behind this ransomware basically explain what is happening on the computer, how this happened and what users should do to get the data back and particularly warns that users should give up trying any other way to unlock the encrypted data and “any attempts to restore your files with the third-party tools can be fatal for encrypted files”. The only way to decrypt all files is purchasing the software package as well as the private key and searching for other solution is just a waste of time. The HELP_YOUR_FILES.TXT can be found on the computer desktop and the PNG file usually appears on some important folders. All formats of ransom notes provide the instructions to guide users to pay the ransom.
Just like its predecessor CryptoWall 3.0, the latest version still uses Tor to protect the anonymity. On the Decrypt Service site, victims are able to make payments, know the current status of the payment, decrypt one file for free and get support. The CryptoWall Ransomware claims that it is necessary to pay at least 1.84 Bitcoin, roughly 700$ in return for restoring the files. The required ransom has increase from 500$ to that number now, so we can’t image how much the losses will cause by Cryptowall 4.0. According to a recent report from the Cyber Threat Alliance, a group of cyber security practitioners, Cryptowall 3.0 has extorted about $325 million from ransomware victims. Due to the higher ransom and limited ways to prevent from getting affected, the damage caused by Cryptowall 4.0 could be even more severe than 3.0.
Victims have a limited amount of time to pay the ransom and it usually will be a whole week, but they are recommended to complete the payment within 2 or 3 days in case of the link is broken. The present antivirus detection rates for CryptoWall 4.0 are not looking good. It still includes advanced malware dropper mechanisms so as to avoid being detected, but this new variant possesses much improved capabilities to communicate. It includes a modified protocol which enables CryptoWall 4.0 to avoid being detected even by the second generation of enterprise firewall solutions. To scare the victim, this ransomware not only encrypt the file but also the filename, which makes it more difficult for the user to recognize the type of file and become more nervous. Thus, the possibility for the hackers to get the ransom is significantly increased. What is more, this new product also is in alliance with unsecure websites that are used to transfer the malware or to infect more computers. Once your computer is infected by this ransomware, your options are limited. Even a security expert of Heimdal Security has mentioned in her blog that the encryption is very strong and most likely unbreakable.
It may delete Shadow Volume Copies and disables startup repair which makes it even harder to recover the data. The easiest thing a victim can do may be just to pay the ransom as required which is just suggested by FBI at the 2015 Cyber Security Summit, though in reality it encourages crime. In some cases about ransomware, the user is lucky when the malware does not affect restore points so the user can restore the system and data to a date before the ransomware entered the system as nothing has ever happened, but CryptoWall 4.0 seems not that merciful. If you cannot recover the data by restoring the system from the most recent backup, the only option left to you is giving your money to the hacker. Looking for the assistance of third party like security company is unreliable and you may lose your data permanently.
What Can You do If Your PC Gets Infected?
The automatic remover should be your first choice while you are facing such a serious situation. A professional removal tool may help you to get rid of the ransomware completely. The database of the removal tool keeps daily update and it can remove the malware as long as the malware is detected. Now you can download the free scanner to do a thorough scan for your computer system.
You can get its scan service free of charge. During the process of scan, it will show a list of all detected items including the name, position and other detailed information. You can remove the detected items after the scan completes if you have purchased this product. If the removal is completes but your data is still locked, you can try the next step.
If the antivirus program fail to detect or remove the ransomware or you data cannot be recovered, you can utilize tools like Data Recovery, MiniTool Power Data Recovery Free to recover the corrupt file safely. But this seems not much helpful as you wish by the current evidence we have. If you create the restore point frequently or happen to have the restore point , you can choose to restore the system from the latest system restore point. However, this method can only be done when your restore point remains intact.
This option will take your PC back to an earlier point in time without affecting your files but it will delete the programs, updates and drivers that are appeared on your PC later than the restore point.
Perform a system restore for Windows 7
Step 1 Log in your computer as the administrator.
Step 2 Open Control Panel from Start menu.
Step3 Click System and Security and click on Restore your computer to an earlier time.
Step 4 Press Open System Restore button.
Step 5 Click on the Next > and you will see a list of the restore point that you have created before. Choose the latest one that before your computer system got infected with CryptoWall 4.0 and then click on Next >.
Step 6 Confirm your restore point and click on Finish.
Step 7 Click Yes to confirm your operations and start to restore the system.
Step 8 The restore is in process.
Step 9 You will see the message during the restore process. The time it takes to complete the whole process is uncertain as it depends on the system condition. You PC will automatically restart when restore finishes.
Perform a system restore for Windows 8
Step 1 Move your cursor on the screen’s right edge, and then click Search.
Step 2 Enter Control Panel in the search box, and click Control Panel.
Step 3 Enter Recovery in the Control Panel search box, and then tap or click Recovery.
Step 4 Click Open System Restore.
If you are asked for the administrator password, you should enter the password on the box.
Step 5 Click Next > and you will see a list of available restore points that you can choose. You should select the most recent point before the ransomware appeared on the system and click on Next >.
Step 6 Select Finish and click on Yes to start the restore.
Step 7 Now please wait until the restore process get finished. Don’t be surprised if you see your computer restart several times during the restore process.
Perform a system restore for Windows 10
Step 1 Right-click (or press and hold) the Start button, and then select Control Panel.
Step 2 Search Control Panel for Recovery.
Step 3 Select Recovery > Open System Restore > Next.
Step 4 Choose the restore point related to the problematic app, driver, or update, and then select Next > Finish.
Step 5 Click on Yes to make confirm for your actions.
Here are some tips to help keep your PC safe:
Block the activity of executable files and zip files from your Email inbox and pay special attention to the Email from strangers.
Never click on unknown links, emails, pop-up messages, and Email attachments in particular.
Frequently back up all your important data and the system. But please note that if your backups are stored on an external hard drive that is connected to your computer, those data would be encrypted by CryptoWall 4.0 too.
Use strong passwords and do not use the same passwords for all accounts on different websites especially your online banking account. Password services or Password manage tools are not recommended as there is the possibility that they could be hacked.
Limit access to your hard drives by stopping unidentified users from changing files.
Keep your computer system and your websites’ systems, browsers, and plugins up to date. All users should frequently check if there is update available for use, if there is, download it immediately. Or you can activate automatic updates features which can patch security flaws timely.
The most important thing is that you should use products that can detect and block recent ransomware or Cryptoware variants effectively. The antivirus tool I recommend below would be helpful in this field.
The following video offers a complete guide for CryptoWall 4.0 Ransomware removal. You’d better watch it in full-screen mode!