CryptoWall Ransomware

CryptoWall Ransomware Description

CryptoWall Ransomware Image 1The CryptoWall Ransomware is a ransomware Trojan that carries the same strategy as a number of other encryption ransomware infections such as Cryptorbit Ransomware or CryptoLocker Ransomware. The CryptoWall Ransomware is designed to infect all versions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows 8. As soon as the CryptoWall Ransomware infects a computer, the CryptoWall Ransomware uses the RSA2048 encryption to encrypt crucial files. Effectively, the CryptoWall Ransomware prevents computer users from accessing their data, which will be encrypted and out of reach. The CryptoWall Ransomware claims that it is necessary to pay $500 USD to recover the encrypted data. The payment is demanded using TOR and Bitcoins in order to maintain the recipients' anonymity. Malware researchers strongly advise against paying the CryptoWall Ransomware ransom. This only encourages ill-minded persons to continue carrying these types of attacks and does not guarantee that you will recover your data.

Fake Updates and Spam Emails may Bring the CryptoWall Ransomware to Your Computer

The CryptoWall Ransomware is distributed as a fake update for applications such as Adobe Reader, Flash Player or the Java Runtime Environment. These types of updates may be offered in pop-up windows when you visit unsafe websites or when a Potentially Unwanted Program is installed on your computer. The CryptoWall Ransomware also may be distributed using spam email attachments and other typical threat delivery methods. Apart from encrypting your software, the CryptoWall Ransomware will also drop the files DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.html and DECRYPT_INSTRUCTION.url into directories where the CryptoWall Ransomware has encrypted data. The CryptoWall Ransomware uses the following ransom message to demand payment:

Decrypt service
Your files are encrypted.
To get the key to decrypt files you have to pay 500 USD/EUR. If payments is not made before [date] the cost of decrypting files will increase 2 times and will be 1000 USD/EUR Prior to increasing the amount left: [count down timer]
We are present a special software - CryptoWall Decrypter - which is allow to decrypt and return control to all your encrypted files. How to buy CryptoWall decrypter?
1.You should register Bitcoin waller
2. Purchasing Bitcoins - Although it's not yet easy to buy bit coins, it's getting simpler every day.
3. Send 1.22 BTC to Bitcoin address: 1BhLzCZGY6dwQYgX4B6NR5sjDebBPNapvv
4. Enter the Transaction ID and select amount.
5. Please check the payment information and click 'PAY'.

Avoid paying this ransom. Instead remove the CryptoWall Ransomware using a reliable, fully updated security program and then recover your files from an external back-up.

Infected with CryptoWall Ransomware? Scan Your PC

Download SpyHunter's Spyware Scanner
to Detect CryptoWall Ransomware
* SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Screenshots & Other Imagery

CryptoWall Ransomware Image 1 CryptoWall Ransomware Image 2 CryptoWall Ransomware Image 3 CryptoWall Ransomware Image 4

Infection Statistics

Our MalwareTracker shows malware activity across the world. Explore real-time data of CryptoWall Ransomware outbreaks and other threats from global to local level.

File System Details

CryptoWall Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\a2f10867.exe 221,184 7f919abf4c32b34d576c81564045f98b 94
2 onewindow1s.jpg 278,016 845f94f481f32c883692f6c8bb4946cb 90
3 11a2c84.exe 220,160 f97d91f8aebbce4628664231184af5a1 84
4 %SystemDrive%\22bb2aa7\22bb2aa7.exe 221,184 fc70fcc84636f1ac405e85ab375e6323 82
5 %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG 62
6 %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML 56
7 %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT 51
8 %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.url 47
9 %APPDATA%sxstaacroic.exe 425,984 56214f61a768c64e003b68bae7d67cd2 46
10 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\a5b2077d.exe 262,144 687d2936249b2ab7387e9336bddf23ef 40
11 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\file.exe 374,272 4017f41610ee8c46552c6051ff60ba47 20
12 %APPDATA%deyct-a.exe 348,160 ce57a4f528ebb078f9bba3e72dc953f1 5
13 %SystemDrive%\43894dc\43894dc.exe 165,376 517d709b1b99fa87ddfe61950a93cf5c 4
14 %APPDATA%ivsposkhf2.exe 342,528 3d238f4934dad0b8724acce5800a5e63 2
15 %USERPROFILE%\Documents\qnemvp.exe 393,583 467dd942e4f3386bb7e8dd309c21d558 2
More files

More Details on CryptoWall Ransomware

The following messages associated with CryptoWall Ransomware were found:
Decrypt service
Your files are encrypted.
To get the key to decrypt files you have to pay 500 USD/EUR. If payments is not made before [date] the cost of decrypting files will increase 2 times and will be 1000 USD/EUR Prior to increasing the amount left: [count down timer]
We are present a special software - CryptoWall Decrypter - which is allow to decrypt and return control to all your encrypted files. How to buy CryptoWall decrypter?
1.You should register Bitcoin waller
2. Purchasing Bitcoins - Although it's not yet easy to buy bit coins, it's getting simpler every day.
3. Send 1.22 BTC to Bitcoin address: 1BhLzCZGY6dwQYgX4B6NR5sjDebBPNapvv
4. Enter the Transaction ID and select amount.
5. Please check the payment information and click "PAY".

Site Disclaimer


  • Cesar Rives:

    a mi me infectaron mi maquina con una de las modalidades de rasomware, lo que me convirtio toda mi información a una extencion 8dde
    ya recupere mi pc, pero mis archivos siguen encriptados, si alguien tiene algun sistema para desencriptarlos se los agradecería mucho

  • Leo:

    My computer was infected with the CryptoWall Ransomware virus
    I tried different free tools to decrypt my files, but nothing helped.

    Does anybody have a solution how to get back my data?


  • Yair:

    I think that the big Ransomware risk if the hackers will succeed to infect the most of company’s servers. In that case the company will not be able to work at all, and may be there will not be recovery option without pay the ransom. What is your recommendation for such case


  • Marco Dane:

    I have both my computer hard drives cloned with true image. I also have all my important date, files, movies, pictures, bills, everything, on two different external hard drives.

    If these guys ever come to me, I would tell them to go F*** themselves!

    I was told in 1998, but a guy that built me my first desktop computer. If you want to keep it, don’t put it on a computer. And never use your real name when filing out anything online!

    I had maybe four viruses. They were my fault, as I was downloading movies. No, not porn. I had that virus gone in less than an hour!

  • Sami:

    Im still f*cked by this malware… dont know how can i recover my 3 years academic work.. even dropbox hav been infected.

  • Mohd arpaci:

    I cant delete the app. And i cannot deactivate the app. If i do it. It will come again in my screen.

  • George Piche:

    My computer was infected with the CryptoWall Ransomware virus. SpyHunter was able to remove the infection in full after a remote session with one of their technicians. Unfortunately I was unable to recover my files as the virus deleted all shadow files or previous restore points. Sadly I didn’t do a recent backup, and lost several files. Thanks to SpyHunter I’m back up and running though. Very satisfied with their software and technical support. Top notch!!

    If anyone has any other information on how I might be able to recovery encrypted files please advise. Referred to all the links provided by SpyHunter support but no luck. Aside from paying the ransom, I’m open to suggestions.


  • MissionImpossible:

    My computer is infected by Cryptowall. I tried different free tools to decrypt my files, but nothing helped… So I had to pay 500$ to recover my files. It took about 5 hours… Now I will backup my data….

  • raj:

    my pc was infected and im trying to recover all my data witch was lost. can i format my pc??

  • Far Kem:

    I was afraid my entire network would be affected but as soon as I discovered something funny on my wife’s computer I cut the sharing options and put her IP in my firewall list.

    If anybody knows where these arseholes live or work, I would like to know. Please, someone let me know and I’ll fix them the old fashioned way.

  • abegail:

    my pc got infected and i just want to ask if this malware propagates only if there’s an internet connection? coz i’ve been inserting my external hd w/out internet connection. I’m afraid that my external hd might be infected.

  • DESPERATE & ignorant:

    Victim: the decrypt tool you obtained after paying the US$ 1.000 .. worked? did you recover your files…?
    Our data base was attacked and deleted all attachments… do they appear "by magic" attached to where they belong? THANK YOU …5 years of work to the trash..desperate!!!

  • john smith:

    got infected with this virus i have deleted all files and programs and its still fukd this is just a scam and anyone who pays the ransom is obviously nuts looks like a full wipe it is my mate does it for a tenner sweet as i hope the people who designed this virus die a slow painfull death

  • Jon:

    The virus hit one PC and of course encrypted as much as it had access too but nobody let us know (we’re an outsourced IT support company) so it had all yesterday afternoon to worm its way around and this morning. I just wanted to get something clear; is the program local to one machine’s available places to access or once its gotten to as far as it can on the server through that first user’s machine, can it jump across to other users’ machines, start the executable from there and then get more access, or is it only local to the machine the virus hit?

  • Terri:

    Found that some files can be recovered by right clicking and choosing previous versions. Only do this after running a full antivirus scan otherwise..anything that this computer touches will get infected. DO NOT ATTACH USB DRIVES WHILE INFECTED!!!

  • seb:

    Pleaseee got any solution to the encrypted files???
    says the virus makes copies of original and deletes but nor can seek recovery programs.
    Dolmac d’ ont work your solution.

  • Tori:

    My laptop, primary computer was infected December 2014. I had an IT person take a look…new security software/hardware was installed and MY FILES AND PHOTOS are all gone. The Consumer Product Safety Commission or somebody needs to prevent this!

  • Custo:

    You must have really needed those files to pay the ransom.

  • Concerned:

    Did paying the ransom work?

  • Triton:

    The latest version of Cryptowall wipes out all your files wholesale. The only way to have your files back is by using data recovery softwares or better yet, from an external source..

  • Tim S:

    To Richard Carry: You say you were able to decrypt the files? exactly how? My mother’s computer was hit – Oct 24, 2014.
    For those whose are ‘adamant’ about not paying to having them decrypted obviously haven’t lost years of files that include financial, family history, personal files!!!! We would be more than willing to pay, but a service tech wipe the computer clean (of the virus) before we realized the only way to get them decrypted was to pay them! Now we have over 4000 encrypted, useless files! We had the files back-up on an external hard drive that was connected to the computer. The virus hit that too!

  • Victim too:

    Paying these thieves is like negotiating with terrorists, if you pay you’re only making things worse and you’re voluntarily inviting them into your computer to make things worse down the road. Plus you’re wearing a target since they know you’ve paid before… you’ll keep paying again.
    These people will eventually get caught. Don’t be a part of the problem.

  • thai:

    Should I go ahead paying the Cryptowall? If I pay what are the chance of decrypt my file?

  • Richard Carey:

    I have seen this Trojan first hand once. The original file is not deleted, so you cannot recover deleted files to get yourself out of trouble.

    I can’t believe that some of you have talked to a number of IT specialists and they have told you to pay the ransom!

    I have recovered the files twice that were encrypted by cryptowall. Once locally, the second time, across the globe.

  • Deb s:

    I got the virus last night. I have an image backup from an external drive but it does not include all files as I save some files directly to a 2nd drive. Unfortunately this drive was connected last night when I got the virus and it also got the virus. My virus software IT dept says that it seems to just be Malware that encrypts the files and deletes the original. My dilemma is that I need to try to recover the files on the external drive – is this possible?

  • Shannon:

    omg so good!!!!

  • Joe:

    have there been any positive results in retrieving the data left on the hard drive. i have been infected on a windows 7 machine

  • bokchoy:

    Windows 7 has previous file options which you may be able to go back to… otherwise, if you don’t have backups you’re SOL unless you want to pay $500 extortion to get the decrypt ability.

    In response to the article, the exe file created seems to be random. The one I saw had a different random string of charactors for a name. I’ve seen cryptolocker before, and cryptolocker appeared to act faster or more efficiently.

    I’m working on clean up now and there’s directories that have some files encrypted whereas others are not. So I’m confused as to whether I just got to it in time or what.

    For any average user, sorry if you’ve gotten infected. $500 is a bit much for most people but if you don’t have back ups that’s the only current way to get your files back. In the future keep backups on a device that’s not left connected to your computer.

  • Dolmac:

    Here is how to recover your files:

    The ransomware function this way :

    When a user launch it (usually by email) it will encrypt all their files and add in each directory a document explaining that they will have to pay in Bitcoin 500$ to recover their files.

    FYI, if you pay, you will actually recover your files, but is there another solution than paying 500 or 1000$ to some kind of mafia ? Yes.


    Power-Off the machine : the faster the better
    CryptoWall operate this way :

    First it will do a copy of your original file, and encrypt it with what they claim to be a RSA2048 key. Then it will delete the original files. It goes on until it encrypted all files on all disks and network shares the user can access.

    In a second time it will try to delete any windows shadowcopies of your files to prevent you to recover a previous "unencrypted" version of your files.

    The reason you should power off the machine quickly is that it might prevent the suppression of shadowcopies. Then all you have to do is power on the machine, press F8, launch it in Safe mode, and use antimalware programs to clean the virus. then use the "precedent version" tab on properties of your user folders to recover unencrypted files.


    What if you have no shadow copies and no backup of your files ? There is still a way.
    As I said, Cryptowall doesn’t encrypt your original files. It will do a copy of it, encrypt it, and delete the original file.

    As you probably know, a deleted file can be recover if nothing as been written over it on your disk. Good think you quickly power off the machine soon after the infection !

    Now all you have to do is take your hard drive out, put it in another machine as external drive, or second drive if you don’t have a sata dock, an run a file recovery program.

    I use Ontrack EasyRecovery or R-Studio, or even DataRescue for Mac.
    The pro version of Ontrack EasyRecovery might also be able to recover files from a RAID array if one of your network share as been encrypted and you don’t have backups.

    All these programs will be able to recover the original files deleted by Cryptowall.

    Just make sure when you run those to NOT do it directly on the original machine as by writing on your infected disk, the program could Overwrite your deleted files.

    You should be able to recover 99% of your files using this method.

    After you recover your files, always do a clean format / install of your machine.

    Of course the best way to protect you from this kind of virus is always the same :

    Have a backup. Always. And a good up to date AV.

  • Bob Smith:

    We were able to copy files from a previous restore point, although the restore option was greyed out.

  • Victim:

    My PC was infected, and i am try all tools i all speak with many IT specialist and everybody told me that i must pay ransom if i want to receive my files :( after 2 weeks i paid 1000 usd and after 4 hours receive decrypt tool…. Cryptowall is worst what can happen with your PC.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 12 + 12 ?