TCI Technologies Blog

CryptoWall 3.0
17 Jun

Combating CryptoWall 3.0

Categories: TCI Tips, News

Although CryptoWall 3.0 ransomware has been around for a while now, we’ve recently seen a surge in the number of PCs infected. Lately, many CryptoWall 3.0 infections have come from malicious spam (malspam) emails and the Angler Exploit Kit, a software package that contains easy-to-use attacks against vulnerabilities in browsers such as Chrome, Internet Explorer and Firefox, and in programs such as Adobe Flash Player, Adobe Reader and Java. Though it’s tough, CryptoWall 3.0 is not impossible to defeat.

What is CryptoWall 3.0?

CryptoWall 3.0 is a form of malware known as ransomware, because it basically kidnaps personal files on your PC and demands payment for their return. CryptoWall 3.0 begins to encrypt, or corrupt so that you cannot access, your files after it infects your computer. After encrypting your files, the malware will display what is essentially a ransom note explaining that your files have been encrypted and detailing the steps you must take to get them back. CryptoWall 3.0 asks that you pay a sum of money (usually somewhere around $500) to access a decryption key for your files within a week or so, or else they will double the cost required to retrieve them. So, how does this pesky malware weasel its way into your computer? Unfortunately, there are a couple of ways.

Infection by Malspam

One of the main ways by which CryptoWall 3.0 has recently been infecting computers is through malspam from Yahoo email addresses that send emails with attached files entitled “my_resume.zip.” Extracting and opening the attached HTML file will redirect you to docs.google.com. You’ll be asked to extract and open another file from Google Docs, which is CryptoWall 3.0. At this point, your computer is infected.

Infection by Angler EK

When your computer becomes infected with CryptoWall 3.0 via Angler EK, it happens because you visited a compromised website. The compromised website, in turn, redirects you to Angler EK which sends CryptoWall 3.0 to your computer. If your computer is vulnerable to the malware, it becomes infected.

CryptoWall 3.0

How to Remove CryptoWall 3.0

Sadly, the cyber criminals responsible for the infection of your computer aren’t bluffing. If your computer is infected with CryptoWall 3.0, your files are seriously encrypted. Apparently, paying the sum of money that the cyber crooks request actually will decrypt your files, but seriously, who has $1000 lying around to pay for something that is rightfully their own? Instead of buying back your own data from the underground malware writing community, you can take these steps to try removing the infection and restoring your files.

1. Download an Anti-Malware Program

Removing CryptoWall 3.0 from your computer is the easy part of this process. Most anti-malware programs, even free ones, will be successful in eradicating CryptoWall 3.0 itself from your computer. Having an anti-malware program is also a good preventative measure to protect your computer from infection in the future.

2. Attempt to Restore your Files with System Backup

The tough part of conquering CryptoWall 3.0 is restoring the data it corrupted. We encourage that you back up the data on your computer regularly. However, if your computer is already infected with CryptoWall 3.0, it’s too late. If you do back up your files often, you may try to restore them with a system backup. If this works for you, great! However, not everyone backs up their data consistently. If the system backup does not work for you, try the next step.

3. Attempt to Restore Files with Shadow Copy Service

There are two methods you can use to try and restore your files using Shadow Copy Service, a feature that, since Windows XP Service Pack 2, automatically creates backup copies of your files. However, it is important to note that using Shadow Copy Service will not guarantee the restoration of your files since CryptoWall attempts to delete your shadow copies when it infects your PC.

Method A: Using Windows Previous Versions

Right click on a corrupted file and select “Properties” from the drop-down menu. Go to the “Previous Version” tab—if this tab is not present, it means the Windows System Protection option was not enabled to the infection of your PC. If you can navigate to the “Previous Version” tab, choose the latest version and click “Copy” and select the directory to which you wish to restore the file.

Method B: Using Shadow Explorer

If you download Shadow Explorer, you can attempt to restore entire folders. After you run Shadow Explorer, you’ll see a list of your drives. Shadow Explorer will allow you to select the drive and date from which you’d like to restore.

If your computer has been infected with CryptoWall 3.0, hopefully one of the above methods worked to recover your files. It won’t hurt to take preventative measures in protecting your PC from malware to avoid situations like this in the future.

Get IT Support Now

Author: Nick