Remove Cryptowall 4.0 Ransomware and Decrypt Cryptowall 4.0 Encrypted Files

This page aims to help users, whose files are encrypted by Cryptowall 4.0 ransomware. Read the article on how to remove Cryptowall 4.0 virus and how to get back the original files.

Cryptowall is a ransomware trojan (or cryptoware) that targets Windows operating systems. The latest variant is Cryptowall 4.0 which is similar to it’s previous versions though with more advanced code, giving it extra evasive features to avoid detection by anti-virus platforms, and more advanced exploitation-of-vulnerability potentials and increased shadow volume copy deletion capabilities. It is thought to have been created by the gang who launched version 3.0 and according to the Cyber Threat Alliance, this variant extorted more than U.S$325 million in the U.S.A alone last year. This trojan enters an operating system (currently most common way is through though infected e-mail attachments). When established, it makes contact with its control and command server and obtains a unique encryption and proceeds to code files. When this is completed, it will send a Notepad message: ‘HELP_YOUR_FILES’ – or it will display this as wallpaper – and demand a ransom be paid in return for the key to decrypt your data. This transaction is to carried out on TOR (the ‘Dark Web’). The program will then give you a time period to pay or loose data. If detected, delete Cryptowall 4.0 immediately, or prepare to pay dearly with either your cash or data.

How Cryptowall 4.0 can infect a system

Infection can be through several different means – all of them avoidable with good security software and diligent operating practice and the most important thing is to prevent Cryptowall 4.0 or anything like it entering your system. The main infection method reported for this trojan currently is via spam e-mail attachments in the form of a FedEx or DHL communication saying that an undelivered parcel is waiting for you, &c. In Australia, loaded though legitimate looking e-mails have been received offering Windows 10 updates with a link to click. Another ploy that many users fall foul of is clicking on pop-ups that look legitimate and offer latest updates for programs like Java, Flash Player or Adobe Reader; to click on a bogus alert will drop the virus into your system. Again, when downloading freeware, scrutinize the contents carefully because the aforementioned (legitimate) programs have been bundled with the virus. It goes without saying that visiting some ‘sites of dubious content is hazardous – hacker ‘sites (or legitimate sites that have been compromised – can implement vulnerability-exploiting software to drop you a trojan during your visit. Less common though possible entry point is through open RDP (remote desktop protocol) means. If this facility is not used, then it should be disabled.

remove CryptoWall 4.0

What to do if infected with Cryptowall 4.0

Unless you have serious hardware for detection, you may not realize that this is in the system until the encryption is complete, though if it is discovered before it finishes there may be a chance to deal with Cryptowall 4.0 and stop the process, saving some data. Some lesser A/V programs may not detect it, especially if they have not been updated sufficiently. There are some signs to watch for that indicate that you may have this or a similar virus in your system: sluggish performance; increase in pop-ups; system freezes for a second or two from time to time; notifications of unsolicited plug-ins being downloaded. If you notice anything like this: disconnecting from the ‘net and any shared connections immediately will disrupt the communication (and so the running) of the program. Back up your files to an external drive or USB flash drive. For manual instructions to uninstall Cryptowall 4.0 in Safe Mode, see below. If encryption is not complete, some data may be saved. After removing the program, it may be possible to manually restore data from any backed-up files (remember to perform regular back-ups for times like these and copy to external storage). There are recovery programs that can be tried, like R-Studio and Photorec. There is also a chance of recovering data in shadow volume copy files with programs like Shadow Explorer – the ransomware is designed to delete shadow files, though often it fails to do this.

How to Decrypt Cryptowall 4.0 Encrypted Files

Method 1: Restore your files encrypted by Cryptowall 4.0 using ShadowExplorer

Usually, Cryptowall 4.0 deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files encrypted by Cryptowall 4.0 ransomware using File Recovery Software

If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Cryptowall 4.0 first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Prevent Cryptowall 4.0 from installing on your computer

The researchers at BitDefender created a vaccine for Cryptowall 4.0. This means that your computer will be protected from infecting with Cryptowall 4.0. Unfortunately, if you are already infected, this tool will not help at all. Download Cryptowall 4.0 protector here.

Along with Cryptowall 4.0 protection, please, follow these measures to ensure healthy PC:

  • Install an advanced package for anti-virus/malware protection and detection with regular updates;
  • Browse safely and responsibly and use Advance/Custom download options;
  • Don’t open dubious files/e-mails/pop-ups offers;
  • Secure – or disable – RDP;
  • Secure networks for access only to Authenticated Users;
  • Research Software Restriction Policies. They block executable files from running when located in specific paths (for instructions see the Microsoft website).

Get a heavy duty A/V program that will search and destroy Cryptowall 4.0 before it can build a wall between you and your data!

3 thoughts on “Remove Cryptowall 4.0 Ransomware and Decrypt Cryptowall 4.0 Encrypted Files”

  1. So… I messed up and loaned out my backup drive to my daughter to do some work. Before she could return it, we got Cryptowall 4.0 on our Synology NAS drive. I don’t want to risk not getting the keys if I pay the now $1,400 ransom (that I can’t afford anyway), and I have about 2/3 of the files on another drive. So I’m just going to wait it out for these a–holes to get busted and they give out the keys. PLEASE someone find these bastards and let me know when the keys get published.

  2. I’ve got also a big problem. We couldn’t get back all data for two big mistakes. There’s no backup point and don’t have any shadow copies. (registry cleaner uses) Only one chance to wait for the Decrypt program if it’s possible. All infected documents safe on a pendrive and now the PC is working well for a new operation system.

  3. Using an Antivirus program would not be so effective with ransomware. An Anti-Malware with behavioral analysis like MalwareFox would be better for this.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.