Table of Contents
- 1 What is CryptoWall?
- 2 Information about CryptoWall 2.0
- 3 Information about CryptoWall 3.0
- 4 Information about CryptoWall 4.0
- 5 What should you do when you discover your computer is infected with CryptoWall?
- 6 Is it possible to decrypt files encrypted by CryptoWall?
- 7 How to find files that have been encrypted by CryptoWall
- 8 CryptoWall and Network Shares
- 9 How to restore files encrypted by CryptoWall
- 10How to restore files encrypted by CryptoWall using Shadow Volume Copies
- 11How to restore files that have been encrypted on DropBox folders
- 12The CryptoWall Decryption Service
- 13Will paying the ransom actually decrypt your files?
- 14How to prevent your computer from becoming infected by CryptoWall
- 15How to allow specific applications to run when using Software Restriction Policies
CryptoWall is a file-encrypting ransomware program that was released around the end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. The media is commonly confusing CryptoWall with the CryptoLocker infection, when it is much more similar to the CryptoDefense ransomware. The most apparent similarity being that CryptoWall's Decryption Service is almost identical to the one for CryptoDefense. In October 2014, the malware developers released a new version of CryptoWall called CryptoWall 2.0. This new version included some additional changes that are described in the next section.
When you are first infected with CryptoWall it will scan your computer for data files and "encrypt" them using RSA encryption so they are no longer able to be opened. Once the infection has encrypted the files on your computer drives it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. The ransom cost starts at $500 USD and after 7days goes up to $1,000. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user.
CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files either in the %AppData% or %Temp% folders. Once infected the installer will start to scan your computer's drives for data files that it will encrypt. When the infection is scanning your computer it will scan all drive letters on your computer including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer it will be scanned for data files by CryptoWall.
When CryptoWall detects a supported data file it will encrypt it and then add the full path to the file as a value under the HKEY_CURRENT_USER\Software\<random>\CRYPTLIST Registry key. It will also create the DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.URL or INSTALL_TOR.URL if infected with CryptoWall 2.0, and DECRYPT_INSTRUCTION.HTML files in each folder that files were encrypted and in the Windows desktop. The DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML file contain information about what happened to your data and the DECRYPT_INSTRUCTION.URL is a browser shortcut to your assigned decryption page on the infection's decryption service, which is discussed later in this guide.
When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this because you can potentially use shadow volume copies to restore your encrypted files. The command that is run to clear the Shadow Volumes is:
"C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
Now that your computer's data has been fully encrypted, it will display the DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML files that was created on your Desktop. These files contain information about what has happened to your data and instructions on how to pay the ransom. In most cases, once CryptoWall launches this document it will remove the infection files from your computer as they are no longer necessary.
Information about CryptoWall 2.0
In October 2014 the malware developers released CryptoWall 2.0, which resolved some problems in the original version. These changes include developer run Web-to-TOR gateways, unique bitcoin addresses for each victim, and secure deletion of original unencrypted files. These changes are described below:
Unique bitcoin payment addresses - The original CryptoWall utilized the same bitcoin payment address for many of its victims. This allowed people to steal the payment transactions from other victim's payments and use them towards their own ransom payment. By utilizing unique payment addresses for each victim it is no longer possible to steal other people's ransom payments.
Developer run Web-to-TOR gateways - In the past, the CryptoWall developers were utilizing other organization's Web-to-TOR gateways so that victims could access their payment servers that are located on TOR. When these organizations discovered that CryptoWall was utilizing them, they blacklisted the CryptoWall payment servers so that could not be reached. To resolve this, the CryptoWall developers appear to have created their own gateways to TOR. These gateways are currently operating under the following domains: tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.
Secure deletion of original data files - When the CryptoWall originally encrypted a file it would simply delete the original version. This made it sometimes possible to use data recovery tools to restore the original unencrypted files. CryptoWall 2.0 now utilizes a secure deletion method that makes it no longer possible to recover your files via data recovery tools.
Information about CryptoWall 3.0
After a lull in CryptoWall infections at the end of 2014, in January 2015 the malware developers released a new version called CryptoWall 3.0. There were only a few minor changes in CryptoWall 3.0 such as an increase in the initial ransom deadline, new filenames, and new TOR gateways. Other than that, this infection is the same as its predecessor CryptoWall 2.0. Detailed information about the changes in CryptoWall 3.0 are discussed below:
New Ransom Note files - In CryptoWall 3.0 the developers introduced new file names for their ransom notes. These files are located in every folder that a file was encrypted as well in the users Startup folder so that they are automatically displayed when a user logs in. The new file names are HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, and HELP_DECRYPT.URL.
Developer run Web-to-TOR gateways - The new TOR gateways currently used by CryptoWall 3.0 are torforall.com, torman2.com, torwoman.com, and torroadsters.com
Ransom Deadline increased - It appears that the deadline for inti al payment price has increased to 7 days. If you miss the 7 day deadline, the ransom amount will increase.
Information about CryptoWall 4.0
In the beginning of November 2015 the developers of CryptoWall released a new version that we have called CryptoWall 4.0. Compared to the previous version, there were some significant changes in this version such as filenames now being encrypted, more robust Shadow Volume Copy deletion, new ransom note filenames, new payment gateways, and a redesign of the HTML ransom note. Detailed information about the changes in CryptoWall 4.0 are discussed below:
Encrypted Filenames - CryptoWall 4.0 will now encrypt the actual filename of an encrypted file as well as the data contained in it. Each encrypted file will have a unique name that looks like random characters. Examples encrypted filenames look like 27p9k967z.x1nep or 9242on6c.6la9. You can see a screenshot of what a folder looks like after being encrypted by CryptoWall 4.0
Redesigned HTML and TXT ransom notes - The ransom notes have been redesigned in such a way that the wording has become more arrogant and the devs toy with the users. The ransom note is very large, so we have broken it up into 2 parts below.
You can click on the images to see larger versions New Ransom Note filenames - In CryptoWall 4.0 the developers introduced new file names for their ransom notes. These files are located in every folder that a file was encrypted as well as in the users Startup folder so that they are automatically displayed when a user logs in. The new file names are HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT.
New Payment Gateways - CryptoWall 4.0 introduces new gateways to the TOR Decrypt Service site. The current payment sites are 3wzn5p2yiumh7akj.partnersinvestpayto.com, 3wzn5p2yiumh7akj.marketcryptopartners.com, 3wzn5p2yiumh7akj.forkinvestpay.com, 3wzn5p2yiumh7akj.effectwaytopay.com, and 3wzn5p2yiumh7akj.onion (TOR Only).
What should you do when you discover your computer is infected with CryptoWall
If you discover that your computer is infected with CryptoWall you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CryptoWall is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove any other malware that may have been installed along with CryptoWall.
Some of the files where associated malware have been found are:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
Is it possible to decrypt files encrypted by CryptoWall?
Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if your lucky from Shadow Volume Copies.
How to find files that have been encrypted by CryptoWall
When CryptoWall encrypts a file it will store the file and its path as a value in the Windows Registry. The location of the subkey is in the following format:
HKCU\Software\<unique computer id>\<random id>
With an actual example being HKCU\Software\03DA0C0D2383CCC2BC8232DD0AAAD117\01133428ABDEEEFF. CryptoWall will then create a value for each file that it encrypts under this key.
BleepingComputer.com has created a tool called ListCwall that automates the finding and exporting the list of encrypted files from an infected computer. This tool will also allow you to backup the encrypted files to another location in the event that you want to archive the encrypted files and reformat the machine.
ListCwall can be downloaded from this URL: https://www.bleepingcomputer.com/download/listcwall/
To use the tool, simply double-click on the and let the program run. ListCwall will search for the registry key that contains the encrypted files and then export them to the ListCwall.txt file on your desktop.
ListCwall also contains advanced features that are useful for consultants and enterprise environments. These flag are described below and should be used from an Elevated Command Prompt:
The -h flag will list the help file for ListCwall.
The -q flag will surpress the output of the ListCwall program.
The -m flag will backup the files by moving them to a default folder of %Desktop%\ListCWall_Backup or to a user specified folder. This flag can be used with the -b flag to specify a different backup folder.
The -c flag will backup the files by copy them to a default folder of %Desktop%\ListCWall_Backup or to a user specified folder. This flag can be used with the -b flag to specify a different backup folder.
The -b flag will allow you to specify the specific backup folder you would like to use.
The -l flag will allow you to specify a custom log file rather than the default one of %Desktop\ListCwall.txt.
Last, but not least, the ComputerName and UserName of the person running the tool will be added to the ListCwall log. This is useful in situations where you do not know the computer that has the CryptoWall infection. If you add ListCwall to a domain login script, you will be able to see the logs that are made and what computers they came from.
For a full list of command-line arguments, you can use the -h flag.
CryptoWall and Network Shares
CryptoWall will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CryptoWall will not encrypt any files on a network share.
It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoWall.
How to restore files encrypted by CryptoWall
If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.
Method 1: Backups
The first and best method is to restore your data from a recent backup. If you have been performing backups, then you should use your backups to restore your data.
Method 2: File Recovery Software
When CryptoWall encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.
Method 3: Shadow Volume Copies
As a last resort, you can try to restore your files via Shadow Volume Copies. Unfortunately, this infection will attempt to delete any Shadow Volume Copies on your computer, but sometimes it fails to do so and you can use them to restore your files. For more information on how to restore your files via Shadow Volume Copies, please see the link below:
How to restore files encrypted by CryptoWall using Shadow Volume Copies
Method 4: Restore DropBox Folders
If you had your dropbox account mapped as a drive letter then it is possible that its contents were encrypted by CryptoWall. If this is the case you can use the link below to learn how to restore your files.
How to restore files that have been encrypted on DropBox folders
How to restore files encrypted by CryptoWall using Shadow Volume Copies
If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called ShadowExplorer. It does not hurt to try both and see which methods work better for you.
Using native Windows Previous Versions:
To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.
This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.
Using Shadow Explorer:
You can also use a program called ShadowExplorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
How to restore files that have been encrypted on DropBox folders
If you have DropBox mapped to a drive letter on an infected computer, CryptoWall will attempt to encrypt the files on the drive. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder. If you need instructions on restoring an entire folder in DropBox, please click here.
To restore a file, simply login to the DropBox web site and navigate to the folder that contains the encrypted files you wish to restore. Once you are in the folder, right-click on the encrypted file and select Previous Versions as shown in the image below.
When you click on Previous versions you will be presented with a screen that shows all versions of the encrypted file.
Select the version of the file you wish to restore and click on the Restore button to restore that file.
Unfortunately the process outlined above can be very time consuming if there are many folder to restore. In order to restore an entire folder of encrypted files, you can use the dropbox-restore python script located here. Please note that this script requires Python to be installed on the encrypted computer to execute the script. Instructions on how to use this script can be found in the README.md file for this project.
The CryptoWall Decryption Service
The developers of CryptoWall created a TOR web site that victims can pay the ransom to decrypt their files. This web site is titled the CryptoWall Decryption Service and allows you to get information about your infected files, offers a free decryption of one file, and believe it or not, actually contains a support form. Links to this site can be found in the DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.URL, and DECRYPT_INSTRUCTION.HTML files that are created in each folder that a file was encrypted. Once you visit the site you can pay the ransom, which is currently $500 USD by sending Bitcoins to a specified address.
Click on the image above to see full size and other associated images.
Once a payment is made it must have a certain amount of bitcoin confirmations before your private key and a decrypter will be made available for download. Once these confirmations have occurred a download link will be displayed that will allow you to download a standalone decrypter. This decrypter can be used to scan for and decrypt encrypted files.
Click on the image above to see its full size.
Will paying the ransom actually decrypt your files?
Yes, paying the ransom will allow you to download a decrypter that will decrypt your files. Once you pay the ransom and it is verified, a link will be made available where you can download the decrypter and your personal decryption key. You can then use the program to start decrypting your files. Please note that the decryption process can take quite a bit of time.
How to prevent your computer from becoming infected by CryptoWall
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:
http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
The file paths that have been used by this infection and its droppers are:
C:\<random>\<random>.exe
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
%Temp%
In order to block the CryptoWall you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually using the Local Security Policy Editor or the Group Policy Editor. Both methods are described below.
How to use the CryptoPrevent Tool:
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed above to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoWall and Zbot from being executed in the first place. This tool is also able to set these policies in all versions of Windows, including the Home versions.
A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
You can download CryptoPrevent from the following page:
For more information on how to use the tool, please see this page:
Once you run the program, simply click on the Apply Protection button to add the default Software Restriction Policies to your computer. If you wish to customize the settings, then please review the checkboxes and change them as necessary. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.
How to manually create Software Restriction Policies to block CryptoWall:
In order to manually create the Software Restriction Policies you need to be using Windows Professional or Windows Server. If you want to set these policies for a particular computer you can use the Local Security Policy Editor. If you wish to set these policies for the entire domain, then you need to use the Group Policy Editor. Unfortunately, if you are a Windows Home user, the Local Policy Editor is not available and you should use the CryptoPrevent tool instead to set these policies. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor, you will see a screen similar to the one below.
Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.
If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.
Block CryptoWall executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.Block CryptoWall executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.Block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.Block Zbot executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.Block executables run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.Block executables run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.Block executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
You can see an event log entry and alert showing an executable being blocked:
If you need help configuring this, feel free to ask in the CryptoWall help topic.
How to allow specific applications to run when using Software Restriction Policies
If you use Software Restriction Policies, or CryptoPrevent, to block CryptoWall you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.
Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.