Cryptowall Ransomware Info Guide.

After a long time of finding a sample of Cryptowall and trying to get it to work, I have finally been able to get it to work for me. Therefore I can now create some kind of guide for it.

Cryptowall is a piece of ransomware that encrypts files much in the style of CryptoLocker. Files are encrypted with a 2048 bit RSA key, therefore making it almost impossible to decrypt the files it encrypts without both the public and private key.

Cryptowall is spread via zip file attachments that come through emails. And once it is placed on your computer, it will start encrypting your files.

Once the encryption is done, a notepad window will open up titled "DECRYPT_INSTRUCTION.TXT" that contains info on how to access the Cryptowall Decryption Service where you can pay a ransom to decrypt your files.

The price of this ransom depends on how long your files have been encrypted for and must be paid in Bitcoin, a well known online cryptocurrency.

At this point, there are three methods I know of to get your encrypted files back without paying the ransom demand.

Method #1: Backups.
Backups of your are the only surefire way to protect yourself against malware. These backups should either be in the cloud or an offline backup such as on a flash drive or external hard drive.

Method #2: File Recovery Software.
When Cryptowall encrypts a file, it makes a copy of the unencrypted file first. It then encrypts the copy and deletes the original file. Because of this, it may be possible to recover your files using a file recovery tool such as:
R-Studio: http://www.r-studio.com/

Or PhotoRec: http://www.cgsecurity.org/wiki/PhotoRec

Although the longer your files have been encrypted, the less likely it is that you can use File Recovery Software to recover them.

Method #3: Shadow Volume Copies

When Cryptowall is placed on your computer, it attempts to delete Shadow Copies of your files in an effort to make it harder for you to restore them. But depending on some unknown factors, it sometimes fails to do this.

If that is the case, you might be able to restore a file by right clicking the encrypted file and clicking Properties. From here you should click on the Previous Versions tab to see if there are any Shadow Copies of the file available.

If there are copies, click on the copy you wish to restore from and click the Copy button. From here you will select where to save the file too. Repeat this process with all your encrypted files.

Whatever method you use, you want to verify that you actually CAN do it before taking any further action. And I would recommend getting rid of the actual ransomware, but saving the decryption info in the unfortunate event that you actually have to pay to decrypt your files.

This is a process that I will be publishing a blog post about soon, along with any further information I have found from my testing of this ransomware.

And even if you are not infected with Cryptowall, you might want to stay tuned as what I will cover in the next few blog posts might also work with other file encrypting ransomware. Cryptowall is not to be confused with CryptoDefense. This is another piece of file encrypting ransomware that I will be covering shortly.