About CryptoWall ransomware
The CryptoWall virus is a new type of Ransomware. It first appeard in the early 2014, it uses lots of techinics like AES encryption and unique CHM infection mechanism. This particular ransomware appered right after another representative of ransomware, CryptoLocker, was finished. It goes under different names like CryptoDefense, Cryptorbit, CryptoWall 2.0, CryptoWall 3.0 and CryptoWall 4.0.
All versions of this ransomware are widely using various exploit kits, spamming and advertising to be able to infect the system of a user. CryptoWall was developing from more early variation to the last one and became more complicated and harder to analyze. For example, the first version of this virus was using an RSA public key for file encryption, it was generated on the command and control server. More advanced version are using AES key for file encryption and after that, encryption of the AES key using a unique public key that is generating on a server. Because of all these activities it is impossible to the actual decryption key.
As we told before, CryptoWall was using exploit kits to infect a computer. The new version of this ransomware is using spam attachments of CHM files. Users need to download and open this file manually to get infected.
Here is the example of the spam attachment:
How it`s working
The CryptoWall virus starts its work by creating a new explorer.exe process, injects its unpacked CryptoWall binary and executes the injected code. After that, this virus deletes all volume shadow copies of your system, so you wouldn’t be able to recover the encrypted files.
After that, the encryption process starts. Here is a full list of files, that will be encrypted by this virus:
xls, wpd, wb2, txt, tex, swf, sql, rtf, RAW, ppt, png, pem, pdf, pdb, PAS, odt, obj, msg, mpg, mp3, lua, key, jpg, hpp, gif, eps, DTD, doc, der, crt, cpp, cer, bmp, bay, avi, ava, ass, asp, js, py, pl, db, c, h, ps, cs, m, rm.
Once all the files are encrypted, CryptoWall ransomware shows users next note:
This ransom demand text is written into several files with “DECRYPT_INSTRUCTIONS” in their file names, and will be opened in three different applications – text file editor, a png image in image viewer and an html page in default web browser.
How to prevent CryptoWall infection and other ransomware viruses:
The best way to protect your computer from infection is to avoid this infection at any cost. We are glad to announce that our anti-ransomware product is now ready for a beta release! GridinSoft Anti-Ransomware beta was developed to protect your computer from cyptoviruses. Try this program, it may save your computer from possible future infection. Help us make GridinSoft Anti-Ransomware better by leaving your feedback! To install this program follow next steps:
- Download GridinSoft Anti-Ransomware.
- Follow the installation instruction.
- Open the program and enable the protection.