Decrypt and remove CryptoWall virus: Cryptowall 2.0 removal and decrypter

The tutorial encompasses a full profile of the CryptoWall ransomware, removal assistance as well as ways to restore personal information that it encrypted.

CryptoWall is both a terribly persistent piece of malware and an entity that shows the present-day IT security’s helplessness in the face of virus evolution. Unmistakably classified as ransomware, this program encrypts all private information stored inside the attacked computer. Of course, the motivation behind creating such a malady has to do with moneymaking, and the scammers are apparently getting more and more insatiable as they attempt to extort an alarming 500 USD from every infected user. CryptoWall infiltrates computers through social engineering trickery. Its makers deploy a mass email campaign, attaching ZIPs that contain phony PDF files. These objects are masqueraded as bills, invoices, online order notifications and similar things that the average user would get interested in opening. Now, once the PDF is opened a malicious payload gets executed, letting the ransomware inside without the user’s awareness.

Decryption instructions triggered by CryptoWall ransomware

CryptoWall does not immediately show its presence. First it scans all drives on the computer for the most common file types. If there are any mapped drives represented as a letter in the PC’s data hierarchy, its contents get processed as well. Then the ransomware encrypts the information it located. In fact, it creates and encrypts copies of your files, and the original data gets deleted. The algorithm utilized in this workflow is RSA-2048, which is known to be particularly strong and hardly crackable within a reasonable time frame. Decrypting the files is therefore a matter of retrieving the private key which is kept on the criminals-run server. Sounds like a trap. And it is, to a large extent.

As soon as the behind-the-scenes encryption job has been completed, CryptoWall comes up with a DECRYPT_INSTRUCTION window with directions on accessing the CryptoWall Decryption Service designed for accepting and processing the ransom payments. Connection with the respective server is established via Tor gateways, not the regular browser. The payments are to be submitted in Bitcoins only, every victim being provided with a unique address within this system. The initial sum equals 500 USD, which is the equivalent of about 1.3 Bitcoin. If the provided period expires, the amount will go up 2 times. The ransomware is also ‘kind enough’ to provide links to services for buying this currency on one of its screens. Also, it can decrypt one file for free as a ‘bonus’ to demonstrate that the data isn’t lost.

The latest version of the malware that was launched in early October 2014 – CryptoWall 2.0 – has got a few extra features such as separate Tor gateways rather than third-party ones used in the previous variant; and more thorough shredding of the original files. Paying the ransom actually works and the information does get restored by the CryptoWall Decrypter app which is made available, but that’s a cold comfort to the user because it costs a pretty penny. Thus far, unfortunately, that’s the only effective way to get the stolen data back.

There are some chances for light at the end of the tunnel, though. Keeping in mind that the elimination of the malware proper is unrelated to data decryption, it’s still a recommended transaction. Furthermore, despite restricted efficiency which depends on several factors, alternative methodology for restoring the encrypted information does exist.

CryptoWall ransomware removal with automatic cleanup tool

Note: removing CryptoWall (including version 2.0) is not that hard in itself. In fact, the virus may even self-destruct after the files have been encrypted, leaving the victim face-to-face with the upsetting ransom payment options. Anyway, the ransomware should be removed from the computer as it may get you infected with other cyber threats. An optimal cleaning workflow is to leverage a security application which will identify all potentially malicious software on your computer and handle it the right way. This approach ensures thoroughness of the removal and system remediation, and allows avoiding unintended damage that might occur as a result of manual malware deletion.

1. Download and install CryptoWall removal software. Launch it and click the Start New Scan button. Wait for the application to check your computer for threats

For Windows

Download CryptoWall remover

For Windows

2. When the app is done scanning your system, it will come up with an extensive list of detected objects. Click the Fix Threats option to have the utility completely remove this ransomware and affiliated infections found on your PC.

Alternative techniques to recover encrypted files

Given that CryptoWall, especially its new version 2.0, is an extremely complex and insidious malware, there is no guarantee that the files can be retrieved without submitting the Bitcoin ransom payment. There are some ways, however, that might be of help, even though they rely on a number of variables. Be sure to try the methods below.

1. Data backups
If you have been backing up your information, to the cloud for instance, you’re a lucky person. Just get the data restored using the respective features. It’s too bad not that many people can boast such prudence. All in all, this is the best case scenario.

2. Shadow Volume Copies
Even though CryptoWall tends to erase all Shadow Volume Copies of files on the compromised workstation, it might not cope with this task. If that’s the case, chances are you can recover your information. Note that this approach is applicable only if you had System Restore activated prior to the infection. Also, the files you can restore this way may not necessarily be the latest versions. Make sure you try one of the following methods though:

  • Take advantage of Previous Versions
    If you right-click a random file on your PC and select Properties in the drop-down menu, you will see the Previous Versions tab at the top of the window. Once you hit that tab, the operating system will display a list of file versions corresponding to the restore points that were made. Select the most recent one and click Copy to restore the file to a new location, or pick Restore to recover it to the directory it was originally in.
    Previous Versions
  • Use ShadowExplorer app
    The routine above can be accomplished with a tool designed specifically to restore Shadow Volume Copies for files and folders. To move on, download ShadowExplorer to your computer, install and launch it. Using the features in the top left-hand part of the GUI, select the drive name and the date. Rick-click on the file or folder you would like to be restored and choose Export.

3. File recovery tools
As it has been mentioned in the ransomware profile above, it deletes the original data objects, encrypting their copies instead. Since Windows still stores these eliminated items, which is common knowledge, why not try to recover them using software that was created for this purpose? Some of the applications capable of doing this are Data Recovery Pro. Run the tool and see if it can pull your removed data out.

Double-checking never hurts

Last but not least, a quick reminder: the removal of CryptoWall from a compromised system doesn’t mean the files will get decrypted. To try to recover your data, stick to the methods above. That notwithstanding, since the ransomware proper is dangerous it must be exterminated for good. To make sure CryptoWall has been removed, consider running an additional security scan as a completion of the cleanup procedure.

For Windows

Download and install CryptoWall removal software

For Windows

21 Responses to Decrypt and remove CryptoWall virus: Cryptowall 2.0 removal and decrypter

  1. Justin says:

    I recently found out that all my files, pictures, documents, etc were encryted through the crytowall 2.0 virus. I cannot see, read, or listen to any of my files. All information I see states that they want me to pay $500 to get the program to decrypt the files and get them back. Is there any workaround to get my files back without having to pay them this fee? Any help you can provide would be greatly appreciated.

  2. Aleš Tone says:

    All my files were encrypted by cryptowall 2.0
    Any help?

    Best, Aleš

    • admin says:

      Have you tried the instructions above? Use the tips to try and restore some of your encrypted files.

  3. JIm says:

    I paid ransom but did not get the key!! The address where I had communicated has disappeared and now I can’t get in touch with them anymore. Any suggestions? Anyone know how to contact them?

    • admin says:

      Sorry to hear that. To try and recover some of your files, considering using the method with Shadow Volume Copies and file recovery software outlined above.

  4. cie boogie says:

    hopefully it works

  5. ricky moore says:

    need help fix computer data loss

  6. Valued Team Member says:

    After all that great (scary) information, thank you BTW.. I’m strangely resistant to “clicking” on anything at this point, i.e now or in the future. Is the “Download and Install.. link in this artical” a test? The irony is thick with this one. I think I will pass, no disrespect mind you.


    • admin says:

      Your fears are understandable, but you needn’t worry in this case. The program is a trusted security suite, it has helped quite a few of our site visitors in removing the bug. Again, getting rid of CryptoWall is merely part of the fix, because you will still need to recover the encrypted information. The article above covers a few workarounds to restore your files, so be sure to read it.

      Thanks for your feedback!

  7. john says:

    So I got hit with the cryptowall 2.0 and at the time I only noticed because my internet connection was extremely slow and that made me start looking in to it. When I noticed the PC was infected I disconnected the Ethernet cable from the computer. Now that was 2months ago. This PC it’s really only used for Photoshop and now I am trying to recover my jpegs. Some off them are still there and I want to try too connect the drive to a different pc to see what I can recover. Our I duo that will cryptowall2.0 invade the pc I move the jpegs onto?

    • admin says:

      Make sure the PC you are about to move your images to has reliable up-to-date security software running in real-time protection mode.

  8. Manfred Stadler says:

    Got the cryptowal virus a few months ago during a business trip in the US
    I hope your can help me to decrypt a few important files I did not have a backup

  9. Darlene Martin says:

    cannot open any files .It says all my files are being protected by encryption with RSA-2048 using Cryptowall 2.o

    • admin says:

      That’s what this tutorial is for, so please read the instructions and give them a shot.

  10. Mohamed alhasan says:

    thankyou it was useful
    my device was infected

  11. Dan says:

    Had a customer infected with Cryptowall 3.0 Tried all the suggestions here…unfortunately they had no shadow copy and previous versions were not available. They had no backup and wanted to pay ransome. Paid the $500. Received a Decrypt key a few hours later. Decrypt finds the database it created when it first ran and asks if you want to autorun. It then starts throwing errors and does not decrypt any of the files. So even if you pay there is no guarantee you will get your files back.

  12. Rob says:

    Two questions,

    Is CryptoWall Remover safe to download?

    Most of my corrupted data is on a thumb drive. None of these options apply to thumb drives. Will CryptoWall Remover repair a thumb drive? What else can I do for a corrupted thumb drive?

    • admin says:

      Hi Rob,
      Yes, the remover is safe to download a use, and yes, it will remove CryptoWall proper. As mentioned in the article, though, removal of the virus doesn’t lead to automatic file recovery, so use the workarounds described in the article. In case with the thumb drive, try the file recovery tool (section 3).
      Thanks for your comment.

  13. Nicky says:

    Hi admin,
    I’m Nicky from China. I got hit by the virus this morning, i’m trying the SpyHunter now. I’m worrying about that the virus has upgraded…
    scanning and waiting for good results.

Leave a Reply

Your email address will not be published. Required fields are marked *