Updated CryptoWall 3.0 Ransomware Using Advanced Anti-Tracking Features

Cybercrooks are always on the look for ways to efficiently garnish their bank account at the expense of victimized computer users. In their latest efforts to do so, they have updated the popular CryptoWall Ransomware threat.

The cyber criminals behind the CryptoWall Ransomware released a new version of the malware, which is known to encrypt files and then extort the computer user for money promising a decryption key. CryptoWall 3.0 uses RC4 encrypted I2P channels for its communications with the Command & Control servers and integrates a fail-safe mechanism in case of damaged connections. Basically, this is a means for the ransomware threat to evade tracking in its efforts to connect and receive malicious instructions upon attacking an infected computer.

The new version is distributed via numerous methods including drive-by download attacks, Exploit Kits, known plug-in vulnerabilities, botnets and spam emails loaded with attachments carrying the CryptoWall malware. You can say the CryptoWall is among the nastiest threats on the internet in the realm of ransomware.

Computer users infected with the CryptoWall version 3.0 may have their video, text and image files encrypted with the RSA2048 algorithm. Additionally, they are presented with a tailor-suited notification of what happened. The CryptoWall 3.0 message informs users that they have to pay a ransom in the amount of 2.17 Bitcoins ($500) within seven days. The message is rather firm in its demands but may not fully deliver on its promises if the outrageous fee is paid up.

The code dissection performed by a French security researcher Kafeine, revealed that the CryptoWall 3.0 conducts geolocation observations of the victim's computer through its IP address. The update to version 3.0 enables it to do this in order to facilitate the display of a custom message usually in the language matching the location of the computer, which you can see below:

Image 1. CryptoWall version 3.0 message in French. - Source: Malware.DontNeedCoffee.com
cryptowall 3.0 french message

Image 2. 'HELP_DECRYPT.HTML' message by CryptoWall version 3.0 - Source: Malware.DontNeedCoffee.com
cryptowall 3.0 message translated english

CryptoWall 3.0 Techie Details

The ransom demand is presented in the form of several files placed on the victim's desktop: HELP_DECRYPT.HTML, .PNG, .TXT, or .URL It could be noted that the cyber criminals applied extra efforts in helping victims to create a Bitcoin wallet and purchase Bitcoins for the ransom, much like in the case of the CoinVault ransomware.

The boldness of CryptoWall leads us to the fact that it offers one free decryption service in order to validate the efficiency of the ransomware's decryption mechanism. After a successful verification, users are suggested to purchase the decryption key via a Bitcoin transaction to designated virtual wallet codes: 15qZLHkcgGnqaBByno2nq6ufa1og3PjnxU and 1JYYzNHDaGC7noiE4eKatuYA4AThqVocDd.

Kafeine's research revealed that the links offered by CryptoWall version 3.0 and its communications are routed through RC4 encrypted I2P channels allowing it to direct communications anonymously with the C&C servers. If the provided websites are not available through the aforementioned links, victims are advised to install the Tor Browser Bundle and follow a URL that will lead them to a Tor-located website with instruction code: paytoc4gtpn5cz12.onion/vRRRbw

Security experts are steadily reminding computer users that the successful payment of the ransom will not result in recovering or decrypting your files. CryptoWall 3.0 uses the secure RSA2048 encryption method seen in its predecessors CryptoWall 2.0, CryptoDefense and CryptoLocker to ensure the complete encryption of files. Although, CryptoWall does not use social engineering techniques found in ransomware like Kovter, data suggests that the criminals behind the scheme managed to accumulate more than $1.1 million. Computer users, as usual, are urged to keep their software updated and utilize the latest antimalware protection to thwart off attacks from newly-updated ransomware threats and other aggressive malware.

33 Comments

  • Lor:

    Ahmar, your best bet is to do as aldric explained. 1: turn off your computer. 2: Remove your hard drive(s) and install it on a clean system. 3: Use your favorite data recovery software to search your drive’s partitions for lost files. 4: recover what ever it finds to the clean computers hard drive. 5: (should be step 1) pray. There is no algorithm to decrypt rsa2048 encrypted files that I know of…. I’ve done this a few times now with mixed success. On system drives/partitions this does not seem to work well. On secondary drives I’ve had reasonable success, recently recovering 6GB of photos and office documents including a PhD thesis paper, from a hot "backup drive"…. fyi. I used a free version of Easeus data recovery wizard…. The reason this can work is because it seems cryptowall3 encrypts a file to the new file name, then deletes the original. If the drive is not too full, you have a chance….
    When you are done recovering remember to nuke or replace your hard drive. You could bag it and save it in the hopes that a better solution might happen…. good luck.

  • Ahmar:

    what’s that encrypted algorithm George ????

  • Dawood Khan:

    Since everyone raised the question, "how to decrypt the files." I don’t think there’s an actual way to decrypt it, not without the key because that’s how RC4 encryption works. Either you have to get the key or have your files lost forever. Other then that you can hack their servers and get the keys, and save the universe but that’s more like impossible.

  • Mac:

    George, would you please share the solution you found? This is a very frustrating issue and so many people are unfortunately facing it. It’s awesome you were able to recover your files, but in order to really stick it to "those bastards", it would be even more awesome if you could inform everyone of the method used to recover your data.

    It would be EXTREMELY appreciated and a potential giant leap into tons of easy, mainstream fixes in the future.

  • Sami:

    I got infected with this virus last week. All my drives exept C are affected by this virus and i have tried some recovery tools but nothing happened. Please tell me is there a possible way to recover my files. Because all these files are very inportant for me as these files are my portfolio.

  • Alex I:

    I paid the 500 USD and they didn’t decrypt my files, it’s a trick…

  • crystal:

    got attacked by this new age bandit, I will purchase a new computer befor I pay them one thin dime, It attached itself to my pictures but have found a way around that and will find a way to print them off..

  • Colin:

    Has anyone paid these guys and then successfully decrypted their files?

  • DMAC Amanda:

    Did George say he found how to decrypt his file. If possible can you share. I desperately need my files that were encrypted by CryptoWall 3.0 but dont want to pay the bastards in fear they wont give me the key.
    PLEASE HELP

  • Lucy:

    Hi,

    I got infected by this earlier this week. But it looks like only one folder in my drive are infected. I’m lucky enough that the folder infected isn’t really important, and I’m willing to delete it, but I don’t know what this virus is capable of as it might infect another folder after I deleted the infected one, or possibly the whole drive.

    I had a flash drive connected to my infected folder, and even copied some files from the folder, before I realized that the folder was infected. I’m not sure if the flash drive itself is infected, but is it possible for the virus to infect other PC that I connect the flash drive to?

    Please, if anyone would kindly respond, will deleting the infected problem solve the problem?
    Also, I don’t really get how this virus works. Can this virus infect another PC by means of flash drive?

    Thank you in advance.

  • Zomer:

    How can I decrypt my files? My whole drive has been encrypted. I made a backup on a separate drive, but this is also infected. Any help possible? I am afraid there are no restore points.

  • Aldric:

    Hey guys, my friend got hit with Cryptowall 3.0 a few days ago. He took his computer to a computer store and they told him that there is nothing they could do to recover his files. They re-installed windows and a couple programs on his computer. A day later he called me and told me about it. I picked up his computer and did several "deep scans" on it and was able to recover a couple thousand Pics and some .Docs .ppt, .pdf, .avi, and .mp3 files totaling about 400. I’m writing this to let you know that if you got hit with Cryptowall 3.0 that there is a good chance of getting most of your files back if you have not been writing to the Hard Drive(s) that has been infected. You need to connect the infected drive to a clean system and use recovery software to find the files that Cryptowall deleted. I did 3 Scans on a 1 terabyte Drive on a Quad Core system using 3 different progams. The average time was 10 hours per scan.

  • Mario Mauricio:

    @George, Any solution? Please help us

  • ooki:

    Anyone can help?
    i got attacked by cryptolocker noticed by the file name help_decrypt.png .txt .html in every folder. I did remove from registry. But the doc file like .xls .pdf etc still cant be opened. If anyone succeed, could you shared how to remove it. Thx

  • RushD:

    Chip,
    Can you please provide me with a hand on getting my files back? I paid the bastards $500 and I received something that appears to be the key, however, I am not able to figure it out. I went to BestBuy but the guy said that I couldn’t do anything about (he didn’t even look at my laptop, just went to his supervisor and that is what he advised him to say to me). Any help that you could provide would be greatly appreciated.

  • DRudi:

    While I have windows xp, the early a.m. of 03/03/15 I awoke to a response from my soon to be exes employer regarding their noncompliance aspects with child support etc only soon there after, this crappy cryptowall 3.0 invaded appearing to be the next early a.m. Anyone able to decrypt this? George, if you truly were able to do this please advise. Serious recovery is needed as I too was not able to back up files, am going through a divorce, etc.

    Thank you.

  • Mo:

    Hey George,
    6 days ago you posted that you found the encrypted algorithm and now all of your files are ok. Can you please share with us how you did this? Thank you.

  • resc:

    George, how about sharing your solution. vijay, I tried uploading the file to decryptcryptolocker and I got the same message. I read on an article that Cryptowall will delete the original files and create encrypted files instead. I will clean my server and try to recover the deleted files tonight. If this works I will post the result tomorrow afternoon. In the mean time, does anyone has a better idea for the ones that dont have backups or shadow copies.
    Thanks,

  • Vijay:

    my windows xp computer got affected by RSA-2048 cryptowall 3.0. when I upload my file to decryptcryptolocker.com I got a message saying it was not affected by cryptolocker. I think it is different from 3.0. Can anyone help me to find a way to decrypt? I don’t have a backup unfortunately.

  • Edouard:

    Hi george,
    I have the same problem!
    Would you be so kind to giveme the way how to decrypt my files ?
    Thanks in advance
    BR

  • Sam:

    Hi George, you said you have found the decryptor of virus cryptowall 3.0 , may I ask for information on how to get my data back. What i have to do. Thank you.

  • Jim:

    @George, please explain how you ‘found the encrypted algorithm’ and recovered all your infected files.

  • Frank:

    George in detail can you tell us how you decrypted the files?

  • George:

    Hi guys, i just decrypted all my files without paying those bastards…i found the encrypted algorithm and now all my files are ok, jpg, PDF, Word mp3 and all……

  • Pete Cliotis:

    I am fighting the Help_Decrypt virus on a friends computer. I had Spotmau 2012 boot disk and was able to use it to recover the data in the encrypted folders. I made new folders on my Flash drive with the name of the folders I was recovering and copied and pasted the contents. This might help some people recover their data without paying. Be careful to delete the Help_decrypt files inside each folder and sub folder. bUT DO THIS BEFORE THE FILES GET ENCRYPTED! Good Luck!

  • Altascene:

    Hit with this last Friday. Suspect it was an email attachment from a known sender. Infected one PC and part of a Server shared drive. Will probably wipe the PC, and restore files from backup. This is a bear.

  • nino:

    I got infected with Cryptowall 3.0 on 05-feb-2015. I am home user from Croatia. When I notice intensive hard drive work I shutdown PC and start to examine what is going on. Virus encrypt some of my audio and jpg files. I use Microsoft Defend to remove it (working in Safe mode, full scan took over 6 hours). Vfter reboot virus was still there and again start to encrypt. New shutdown and this time I use Malwarebytes. Full scan (4 hours) but same as Microsoft tool, it will found everything on disk but nothing in registry. After reboot everything seems o.k. but after while virus start working again. New shutdown. This time I use paper, write down avery information I can collect on internet about crypto virus and manuylly clean registry. I got lucky to clean it but someone must put instruction on this subject because it is not only run key in hklm and hkcu but also key winlogon and lnkteqd (this dll virus replaced with it own) but also Control Panel Task Scheduler. So people, be aware that there is no easy removal for this virus.

  • Derari:

    I was also infected by this in my sd memory card in which i had important pictures for me. I was reading you only have certain amount of time to get your pictures back. I am willing to take the risk and pay as soon as i get the money. Does anybody know how long they remain available to recover.

  • David:

    anyone successfully decryted files again? I have a customer who has got hit and we have tried several tools to resolve but nothing is working

  • CHIP:

    I got hit twice! Once in November by 2.0 then last week by 3.0. When I first got hit by 2.0 it was time for a new computer and the files that were encrypted were not that important. I thought we had the system locked down but criminals got in thru our firewall and installed 3.0 on our server…encrypting 39,000 files. I had no choice but to pay the ransom. So, yes I paid the bastards $500 or 2.17 Bitcoins. True to their word they provided the private key that unlocked and decrypted ALL my files. We immediately threw up new protective measures to keep EVERYONE out. However, and this is why I am writing this….while we got back our files in the decrypt program the bastards installed a Trojan that effectively turned 90% of my server computer resources into a "bit coin miner". That was one hard little program to track down and disable. So, while you may have your files back watch out for the other infection. All in all the hardest part of recovering my files was setting up and buying BitCoins….what a pain in the ass!

  • Steven:

    I was fixing a buddies computer and what I typically do is get all the important files on a disc, scan and fix them separately while wiping the computer clean on the side. well, this virus has encrypted everything important and obviously I dont have the original files anymore and i just wiped the computer clean. What are the chances I can decrypt these files?

  • bluesmoke59:

    I was hit with this too. But instead of infecting my laptop, it went through to all my flash/pin drives where I thought my pictures and documents were supposed to be safer. It even infected the SD memory card I use for my camera. Unfortunately, my laptop doesn’t have shadow copies for these other E, F, G, and H drives, only for the C drive.

    I’ve been dealing with this for the past week and have tried different scan and/or removal tools, they find nothing on my laptop and most don’t scan my pin drives.

    Please, any suggestions on how I can retrieve the work on these flash drives and memory card?
    Unfortunately, I’ve read that even paying the ransom gives no guarantee that I will have my work back, and everything seems to apply to the C drive.

    Thanks.

  • Felix Miguel Rey Amaro:

    Gracias por los avisos. Intentaré alejar mi computador de los cibercriminales. Un saludo Miguel

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 11 + 14 ?