Remove Cryptowall

What is Cryptowall

Cryptowall is file-encrypting malware, commonly known as ransomware. The ransomware was first spotted in 2013, but has since been updated several times. It’s no longer as active as it used to be but can still be encountered to this day. Some of its versions are decryptable for free, while others will require you to use backup to recover files.

Cryptowall will encrypt your files and demand that you pay a ransom to recover them. This ransomware requests $500 initially but doubles the price after a certain period of time. We obviously do not recommend paying the ransom as that may be a waste of money. First of all, depending on which version encrypted your files, there may be a free decryptor available. Secondly, even if you pay, you will not necessarily be sent a decryption tool. Crooks can just take your money and not bother sending you anything.

Unfortunately, if your files are encrypted with the version that is not currently decryptable, your only shot at recovering files is backup. If you have it, first remove Cryptowall from your computer and only then connect to your backup.

How did Cryptowall infect your computer?

Like most ransomware, Cryptowall spreads via spam emails, malicious downloads and rootkits. You can avoid a lot of ransomware and other malware by simply following a few safety tips. Tip number one, do not open spam email attachments, or spam emails in general. They land in your spam section for a reason. A lot of them will try to convince you to open the email attachments, claiming it’s an important document. In most cases, it will be malware. In general, when you get an unsolicited email with an attachment, it’s always a good idea to scan the file with anti-virus software or a service like VirusTotal.

Tip number two, avoid downloading files using services like torrents. If you pirate content, you should be aware that a lot of files for films, TV-series, software, etc., are malware. So if you’re going to use torrents, at least make sure that what you’re downloading isn’t going to harm your device.

Finally, update your Windows and programs. Rootkits can get in via unpatched vulnerabilities on your computer, and later install all kinds of malware onto your device. If you can’t be bothered to install updates manually, enable automatic updates.

What does Cryptowall do?

Cryptowall will start scanning for certain files to encrypt as soon as it’s activated. It targets files like photos, videos, documents and encrypts them using sophisticated encryption techniques. Once files are encrypted, users will find a ransom message in files DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.html, and DECRYPT_INSTRUCTION.url. The note explains that files have been encrypted and that to recover them, users need to pay $500 in Bitcoin. The note also warns that the $500 is an initial sum, and the amount will double if payment is not made by a certain date.

Paying the ransom is a bad idea for three reasons. First, since you are dealing cyber criminals, you’re not guaranteed a file decryptor even if you pay. There’s nothing really stopping them from just taking your money. Second, by giving crooks money you’d be supporting their future criminal activity and making ransomware a profitable business. Finally, there could be a free decryptor available. If there isn’t one, your best option is to wait for one to be released.

If you have made copies of your files, you can connect to your backup and recover everything. However, before you do, you need to make sure the ransomware has been fully removed.

Cryptowall removal

To delete Cryptowall, you need to use anti-malware software. Manually trying to uninstall Cryptowall could lead to even more trouble for your computer. Instead, use anti-malware software. However, you should keep in mind that just because you remove Cryptowall, that does not mean your files will be recovered. You will need a decryptor for that.

Learn how to remove Cryptowall from your computer

• Step 1. Delete ransomware via anti-malware
• Step 2. Delete Cryptowall using System Restore
• Step 3. Recover your data

Step 1. Delete ransomware via anti-malware

• a) Windows 7/Windows Vista/Windows XP
• b) Windows 8/Windows 10

a) Windows 7/Windows Vista/Windows XP

1. Start menu -> Shut down -> Restart.
2. Press and keep pressing F8 until Advanced Boot Options loads.
3. Select Safe Mode with Networking and press Enter.
4. When your computer boots, download anti-malware software via your browser.
5. Launch the program, scan your computer and delete the infection.

b) Windows 8/Windows 10

1. Press the Windows key on your keyboard and click on the power icon.
2. Select Restart while holding the Shift key.
3. Choose Troubleshoot and then Advanced options.
4. In Advanced options, choose Startup Settings and select Enable Safe mode with Networking (or just Safe Mode).
5. Press Restart.

Step 2. Delete Cryptowall using System Restore

• a) Windows 7/Windows Vista/Windows XP
• b) Windows 8/Windows 10

a) Windows 7/Windows Vista/Windows XP

1. Start menu -> Shut down -> Restart.
2. Press and keep pressing F8 until Advanced Boot Options load.
3. Select Safe Mode with Command Prompt, and press Enter.
4. In Command Prompt, type in cd restore and press Enter.
5. Then type in rstrui.exe and press Enter again.
6. A new window will appear where you will have to choose a restore point. Choose one dating back prior to infection and press Next, and then Finish.

b) Windows 8/Windows 10

1. Press the Windows key on your keyboard and click on the power icon.
2. Select Restart while holding the Shift key.
3. Select Troubleshoot and then Advanced options.
4. In Advanced options, choose Startup Settings and select Enable Safe mode with Command Prompt.
5. In the Command Prompt window that appears, type in cd restore and press Enter.
6. Then type in rstrui.exe and press Enter again.
7. In the window that appears, you will have to select a restore point dating back prior to infection. Select one and press Next, then Finish.

Step 3. Recover your data

• a) Method 1. Data Recovery Pro
• b) Method 2. Windows Previous Versions
• c) Method 3. Shadow Explorer

When your files are encrypted by ransomware, you may be able to recover them. Below, you will find methods that could help you with file decryption. However, bear in mind that file decryption is not guaranteed. These methods are not always reliable, thus the best way to recover files would be via backup. And if you don't already have it, we suggest you invest in it.

a) Method 1. Data Recovery Pro

1. Download the Data Recovery Pro program.
2. Install and run the program.
3. Press Start Scan to see if data can be recovered.
4. If it finds recoverable files, you can restore them.

b) Method 2. Windows Previous Versions

If you had System Restore enabled prior to infection, your files should be recoverable through Windows Previous Versions.

1. Find a file you want to recover and right-click on it.
2. Properties -> Previous Versions.
3. Choose a version from the list and press Restore.

c) Method 3. Shadow Explorer

Some ransomware does not delete automatically created copies of your files, which are known as Shadow Copies. If they were not deleted, you should be able to recover them via Shadow Explorer.

1. Download Shadow Explorer from a reliable source.
2. Install and run the program.
3. Choose a disk that contains encrypted files and if it contains folders with recoverable files, press Export.