Cryptowall is a form of ransomware that encrypts files on your computer and network drives using strong encryption algorithms. Once encrypted, the files become inaccessible and useless unless you pay the ransom to get a decryption key. Unfortunately, there is no guaranteed way to decrypt files encrypted by Cryptowall without the decryption key. However, there are some methods you can try to recover files and minimize the damage caused by the infection.
Prevention
The best protection against ransomware like Cryptowall is prevention. Here are some tips to help prevent infection:
- Keep your operating system, software, and security solutions up-to-date with the latest patches.
- Be cautious of unsolicited email attachments, even from people you know. Cryptowall is often spread through spam or phishing emails with malicious attachments.
- Backup your data regularly. Store backups offline or in the cloud so they can’t be accessed and encrypted by ransomware.
- Use antivirus and anti-malware software to detect and block known ransomware.
- Don’t open files from unknown sources or visit suspicious websites that may distribute malware.
- Turn off RDP if not needed and use strong passwords and 2FA to secure remote access.
- Restrict execution of .exe files in AppData/LocalAppData folders.
Implementing security best practices makes it much harder for ransomware like Cryptowall to infect your system.
Disconnect from Network Immediately
If you suspect a Cryptowall infection, disconnect your computer from any network or shared drives immediately. Cryptowall will attempt to encrypt files on local drives as well as mapped network drives and shared folders. Disconnecting stops the ransomware from spreading further and infecting more files on other PCs.
Identify Patient Zero
Try to identify the first infected computer, known as patient zero. Check firewall and email logs to see where the malware entered the network. This PC likely has the encrypted private key required to decrypt files. It may be possible to recover this key if you can isolate the infected system.
Check for Shadow Copies
Modern Windows versions create shadow copies automatically as a recovery option. Ransomware often tries to delete or disable these shadows. Use the built-in Previous Versions tool to browse for and restore file versions that existed before the infection.
Scan with Decryption Tools
Security firms often release free decryption tools for common ransomware strains. Run these tools to check if they can decrypt your files:
- Emsisoft Decrypter for Cryptowall
- Avast Decryptor for Cryptowall 5.1
- Kaspersky RakhniDecryptor
- Cryptowall Decrypter by CheckPoint
Make sure to run the latest versions of these tools. They are frequently updated as new ransomware versions emerge.
Leverage Cloud Storage
If you have cloud-synchronized versions of your encrypted files, you may be able to restore them from services like OneDrive, Google Drive, Dropbox etc. This does depend on having the sync option enabled before infection.
Try Alternative Recovery Methods
Some people have had limited success recovering a few encrypted files using data recovery tools like Photorec Recuva, or R-Studio. This works best if encryption was interrupted before completion, leaving file remnants that can be reconstructed.
Wipe and Restore from Backup
If other options have been exhausted, the nuclear option is to wipe the infected system and restore files and settings from a clean backup. This results in data loss between your last backup and the infection date. But it ensures Cryptowall is completely removed so it can’t spread or re-encrypt restored files.
Pay the Ransom as Last Resort
We never recommend paying ransom demands as it encourages and funds more criminal activity. However, some businesses and individuals in desperate situations choose to pay if the encrypted data is absolutely critical and worth more than the ransom amount. Be aware that the criminals may still not provide working keys after being paid.
How Cryptowall Encrypts Your Files
To understand why file recovery is difficult, it helps to know how Cryptowall encrypts data on infected systems:
- Uses strong AES and RSA encryption algorithms.
- Generates new AES keys for each file. This means every encrypted file has a unique key.
- The AES keys are encrypted with a 2048-bit RSA public key stored in the malware code.
- The private key to decrypt files is only known by the attackers. They will provide it only if the ransom is paid.
- Encrypted files get a new extension like .xyz, .aaa, .vvv after encryption.
- Shadow copies and connected drives/shares get encrypted too.
This multi-layered process with unique keys makes each infection is impossible to decrypt without the private RSA key held by the criminals. Brute forcing is not feasible.
How Much Does Cryptowall Charge for Decryption?
The ransom amount demanded by Cryptowall varies but is often $500-$1000 worth of Bitcoin. The ransom note provides instructions on how to acquire and pay the ransom in Bitcoin, indicating a Bitcoin wallet address to send payment. The attackers will usually double or triple the ransom if you do not pay within a short time.
Of course nothing stops them from demanding more money or simply disappearing after being paid. You ultimately have to take it on faith that criminals will uphold their promise.
Is Paying the Ransom Legal?
There are no laws strictly prohibiting ransom payment. The FBI recommends not paying as it props up the ransomware business model. But they acknowledge victims have the right to make their own decision for what is best for their situation.
However, legal complications can arise if organizations do not properly disclose ransom payments. For example, publicly traded companies may be required to disclose the payment if it is financially material. Hospitals and insurers dealing with healthcare data may violate HIPAA regulations if the breach is not reported.
How Widespread are Infections?
Cryptowall has been one of the largest and most aggressive ransomware campaigns. At its peak, the FBI estimated over $18 million in ransoms had been paid to Cryptowall attackers. Recent versions such as Cryptowall v6 continue to pose a significant threat.
Between 2015 and 2017, researchers observed over 635,000 unique IP addresses compromised by Cryptowall. That suggests the number of actual infections is much higher since many IP addresses represent large networks with hundreds or thousands of infected endpoints.
Cryptowall has compromised victims across numerous industries including healthcare, finance, education and government agencies. But any organization or individual is at risk if they fail to maintain adequate security precautions.
Cryptowall Delivery Techniques
Cryptowall employs a number of different strategies to infect new victims:
- Email Spam – Mass emails with boobytrapped attachments are sent out in an attempt to trick users.
- Exploit Kits – Drive-by downloads via compromised sites that check for browser vulnerabilities.
- Remote Desktop – Brute force attacks on RDP connections with weak passwords.
- Software Bundles – Bundling with legitimate downloads like media players and cleaners.
- Social Engineering – Malicious email links pretending to come from trusted sources.
In addition, compromised PCs are used to help spread the infection further across networks via shared directories and drive mappings.
Cryptowall Code and Operation
Cryptowall is sophisticated malware with many capabilities that make it dangerous:
- Polymorphic code that mutates to avoid detection.
- Uses TOR and anonymity services to hide C2 traffic.
- VirustTotal checks to avoid sandboxes and analysis.
- RSA public key hardcoded in executable.
- Targets over 400 different file extensions for encryption.
- Appends unique IDs to encrypted files.
- Deletes shadows copies and disables recovery tools.
- Anti-debugging and code injection techniques.
Together this allows Cryptowall to be a stealthy and destructive threat. Even if the initial infection is cleaned, encrypted files remain inaccessible.
Cryptowall Version History
Since first appearing in early 2014, Cryptowall has gone through numerous revisions and new versions:
| Version | Date Observed | Notable Features |
|---|---|---|
| 1.0 | Jan 2014 | Initial version |
| 2.0 | Mar 2014 | Code changes to evade detection |
| 3.0 | May 2014 | Improved encryption speed |
| 4.0 | July 2014 | Added payment site and TOR communications |
| 5.1 | Sep 2014 | Fixed AV detection issues |
| 6.0 | July 2022 | Resurgence after 2 years dormancy |
Each version included under-the-hood changes to avoid security defenses and enable new capabilities. Cryptowall v6 in July 2022 marked a resurgence of the malware after a 2 year dormancy period.
Steps to Remove an Active Cryptowall Infection
If you have an active Cryptowall infection, take the following steps to eliminate it from your system:
- Disconnect from any network or shared drive connections immediately.
- Use Task Manager to kill any suspicious processes related to the infection.
- Boot into Safe Mode to disable ransomware auto-starts.
- Install and run updated anti-virus software to remove the ransomware.
- Delete any modified registry keys or values added by the malware.
- Recover files from backup and clean re-image the system when possible.
- Change online account passwords that may have been compromised.
Removing the ransomware is important to prevent further damage, but does not decrypt already encrypted files. You will still need to pursue other decryption options for restoration.
Should I Report Cryptowall to Law Enforcement?
If you are victimized by a Cryptowall attack, you can report it to the FBI or other law enforcement. However, for individual users there often is little they can do to track down the perpetrators. Cryptowall operations are dispersed across the globe and resources are limited.
That said, reporting compromises helps build intelligence on the tools, tactics, and payments which may aid future enforcement efforts. The FBI lists the following contact options for reporting ransomware:
- Local FBI Field Office
- FBI Internet Crime Complaint Center
- Nearest International FBI Office
Businesses working with law enforcement and cybersecurity firms also have better chances of tracing infections back to the original source.
Can I Decrypt Files without the Private Key?
Without access to the RSA private key held by the attackers, there is mathematically no way to brute force decrypt AES encrypted files. Each file is encrypted with a unique AES encryption key.
That said, if the malware is interrupted mid-process, or you can find encrypted AES keys stored on the infected system, it may be possible to reconstruct some files. But in most cases the AES keys themselves are encrypted with the inaccessible RSA private key.
Should I Pay the Cryptowall Ransom?
Paying ransom demands is controversial. The FBI recommends against it as it encourages more criminal activity and there is no guarantee files will be recovered. But they acknowledge each victim needs to evaluate their own unique situation.
Before paying, consider the following:
- The ethical implications of funding cybercrime.
- If you can afford the ransom amount.
- The chances criminals will honor the deal.
- If you have better options to recover data.
Some businesses determine paying a smaller ransom is more cost effective than rebuilding systems and restoring data from scratch. But be aware risks still exist.
Conclusion
Recovering files after a Cryptowall infection is difficult without paying the ransom for the private key. Prevention is critical to avoid attacks before they occur. This includes maintaining up-to-date backups offline so encrypted files can be restored if needed.
For active infections, quickly isolate the system to prevent further spread across your network. Run decryption tools in case they can recover some files based on the version. And report attacks to law enforcement so they can potentially track the perpetrators.
With Cryptowall continuing to evolve and infect new victims, users must remain vigilant and implement best practices to reduce their exposure. Understanding how Cryptowall works and the options to try recovering encrypted files can also help minimize the impact if you are compromised.
