Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, October 17, 2014

How to Remove CryptoWall 2.0 Virus and Restore Encrypted Files

Tell your friends:
Update: 1/14/15 - CryptoWall 3.0 released. CryptoWall 2.0 is an encryption virus (ransomware) that encrypts your files and then requires a $500 USD, 500 EUR or 0.5 Bitcoin ransom in order to get a decrypter. It's very similar to the Cryptorbit virus but this one is actually a lot more sophisticated then previous variants. It now uses unique bitcoin payment addresses for each victim instead of hard coded links that were basically the same for most victims. Scammers now also use their own TOR gateways to stay hidden from the authorities but probably the worse thing is that the new CryptoWall 2.0 ransomware virus makes it almost impossible to recover your files unless you regularly create back ups. There are, however, one trick that might work for some of you. To remove this virus from your computer and restore at least some of encrypted files, please follow the removal guide below.


How does the CryptoWall 2.0 virus work? Well, once installed, it starts to encrypt your files in the background and sadly most people do not realize this ransomware virus is on their computer until it displays the ransom note and your files have already been encrypted. The ransom note is a simple HTML file with instructions on how to pay the ransom and get your encryption key. It's not a joke, it's a very serious problem. Here's how the DECRYPT_INSTRUCTION.HTML reads:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

And finally, there are instructions on how to pay the ransom and recover your files. Usually, there are a few links to TOR websites, for example tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com. As I said, they are all unique for each victim ending with personal identification numbers.

CryptoWall 2.0 uses the RSA-2048 encryption algorithm to encrypt your files. Once your files are encrypted, it deletes the original files and if you don't have back ups there's really not much you can do to get them back.

Many of us spend a significantly high proportion of our time on a computer and on the Internet. And that leaves us open to attack by any number of viruses and different types of malware. And one of the most unpleasant of all of these is something called ransomware. This nasty Internet menace can cause untold harm to both your personal, and your PC's, security.

Despite what many people think, and despite its malicious characteristics, CryptoWall 2.0 is not actually a virus. But whatever you decide to call it, one thing is certain and that is that you really don't want it installed on your computer! They say that to be forewarned is to be forearmed, so let's take a closer look at what ransomware is, what effect it can have, and how to avoid it.

It's main 'modus operandi' is to attack and destroy your files and documents from within your operating system and encrypt personal files that are valuable to you. Such viruses are sneaky and stealthy and will install themselves on your computer by pretending to be something that they're really not - i.e. something harmless and useful. They are also distributed via infected websites and fake emails. How ironic is that?

Unlike a regular computer virus, CryptoWall 2.0 doesn't replicate itself and infect other PCs and users. What it will do however is encrypt your files and install more malware on your computer. Which in turn creates further problems and leaves your online security wide open and defenseless.

Therefore, protecting yourself from this infection is paramount but luckily there are a number of steps you can take to boost your line of defense. First of all, make sure that your PC has a firewall installed and turned on. Also, check that your anti-virus software is a reputable make and is running on the latest version and has up-to-date patches installed. You also need to run it regularly, manually, not just sit back and let it tick away in the background. Finally, don't download programs from untrustworthy sources or third party websites. Stay safe – stay ransomware free.

So what should you do your files have been encrypted? Easy to say, but try not to panic and most definitely do not pay any money unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer and specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that scammers will recover your files.

If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur, http://deletemalware.blogspot.com


Step 1: Removing CryptoWall 2.0 and related malware:


Before restoring your files from shadow copies, make sure CryptoWall 2.0 is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.





2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by CryptoWall 2.0 virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Before using Shadow Explorer, you can try to decrypt some of your files using RakhniDecryptor.exe and RectorDecryptor.exe from Kaspersky. These tools might help you, but please note that they were not designed decrypt the data encrypted by this ransomware virus. However, you can still try them.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

69 comments:

Anonymous said...

Your recommendation for the best defensive anti-virus is ?????
Thanks.

Admin said...

My personal favorites are ESET NOD32, F-Secure and Kaspersky. These programs provide great protection against most malware including Cryptowall. Try each one of them and decide which one you like the most.

Anonymous said...

Be aware this also encrypts mapped network drives (H/home directories, server shares, etc).

Anonymous said...

what are the chance of getting my files back if I pay? if after I try everything else, and I cannot open my files, will I still have the option tp try and pay these people off?

Admin said...

Some people said that they got their files back after paying the ransom. However, I cannot confirm or deny anything because those posts and comments can be fake. I personally would pay the ransom only if I had really really important files to recover.

Anonymous said...

To Anonymous: I recently got 'Cryptowalled'. By the time I Googled everything about the virus and asked computer savvy friends for advice, a week had come and gone and the ransom had gone up from $500 to $1,000. I ultimately had to open a Bitcoin account to pay them. The whole thing was a big pain and I lost a bit of sleep over it. The violation of your private files and the illegality of it all is just overwhelming. To answer your question ... YES, I did receive a de-cryptor key from them and am restoring my files as we speak. As the Admin of this article has stated, only pay if the files are VERY important. Good luck.

Anonymous said...

Backup your files people

Anonymous said...

I understand that personal files are important but under no circumstance would I ever pay a ransom!!! What's to say that this is not going to happen to you again in a few days, then what? Pay again? I have a customer's laptop right now with the same problem for days and they understand that they will not get it back until a resolution has been found.

Anonymous said...

I, too, was "cryptowalled." It may have happened Friday night but I did not notice until yesterday afternoon. I am being advised NOT to pay the ransom but to backup my files in their current encrypted form in the hopes that someone will crack the code and I can get them back once that happens. I'd be curious to hear your thoughts on that.

Admin said...

You didn't notice it because the virus was working in the background, encrypting your files without any notification. That's just how it works, ensuring that every file is encrypted before asking to pay the ransom.

If you don't need those files right now or if they are not very important then you shouldn't pay the ransom. But other people can't really wait, besides, if you don't pay the ransom within a week or so, scammers will double the price (usually $1000 instead of $500).

Anonymous said...

The information within the documents is extremely sensitive, do these so called hackers store that data and information somewhere?

Anonymous said...

I too was hit with this Friday night...or at least that is when the files were done encrypting. Helluva Monday I walked into today! We're in the age of NEED a backup, not encouraged to have one. Make sure your retention on the backups are decent too, who knows how long it takes for the files to encrypt. Friggin' Russians!!!

Anonymous said...

I paid $2000 and my files are not restored. I am out $2k and my files are junk.

don't pay!

Anonymous said...

New versions of CrpytoWall are disabling restore points and deleting shadow copies. We are a tech shop and have seen a huge influx of CryptoWall breached systems within the last week.

Anonymous said...

I tried to follow the guidelines but my computer will not allow the Malware removal download. It says the security system will not allow this download. Any other suggestions?

Anonymous said...

I received my ransom note on Halloween. After spending time reading blogs and tech articles, I made the decision to pay the ransom. Received the decrypt key this morning and it is working. The hardest part was figuring out how to buy bitcoins. I have changed my security and backup procedures so that if it ever happens in the future I will not loose valuable data. Fool me once, shame on you. Fool me twice, shame on me.

Anonymous said...

Our computer was hit this week as well. We don't have anything backed up. My son was able to remove the "virus" but we are devastated that everything gone- pictures, home videos and important work files. We are trying to decide whether to pay the ransom. I don't want to let these scumbags win but I guess we should have been more smart and backed things up. Definitely will from now on.

ATechie said...

I work for an IT shop that services many of the businesses in the area and I alone have seen 3 machines with cryptowall this week, one of which had the (2.0) version. I was unable to recover files from any of them using the recommended methods above. Its becoming a major issue.

Anonymous said...

I saw this hit someone last night. Shadow copies are gone, so it is version 2.0. Word of wisdom - backup! then keep the drive disconnected because this virus infects connected drives too. what scumbags!

Anonymous said...

We have been hit by the cryptowall 2.0 this week as well and we have decided not to pay the ransom. It is unfortunate that our files, photos, and documents have been hijacked however by paying the ransom you are supporting these thieves and supplying them with further resources to continue doing this to other individuals. I encourage all others affected by this malicious virus to not pay the ransom even if the files encrypted were valuable.

Anonymous said...

I think the program is also somehow changing the security settings on your computer to not allow a security download after you've been infected. I was getting the same message. I did a system restore to several days in the past (the probable day of infection) and it changed the security settings back to allow me to download the anti-malware. Try that.

Anonymous said...

I am having issues getting quickbooks files back with shadow explorer. Any ideas? I also cannot seem to download the items in step one so I will have to do this from a 2nd computer unless there is another way.. Thanks!!

Anonymous said...

if you have to pay a ransom, why aren't these people be identified when they collect the pay-off? Shouldn't be that hard to follow the money trail.

Anonymous said...

I got hit with cryptowall 2.0. It changed security settings, deleted restore points and even encrypted docs on my cloud. I think it started when I keep getting a message that my security settings wont allow download then I kept setting back to default in internet tools... whatever. BUT I PAID And Never got any decrypt.

Paid the ransom..... NO KEY WAS PROVIDED>>>>
DO NOT THROW YOUR MONEY AWAY!!!!
These people add insult to injury now that they got your money.
Wish I hadn't paid but I can afford it.

Anonymous said...

Stop rewarding these people. By paying the ransom, you're providing them with a reason to keep developing ever more sophisticated versions of this malware, making life harder for everyone else on the internet.

Anonymous said...

Bloggers- had 2 computers infected with this nasty malware 1 week apart. Here is what I learned after an autopsy:
Shadow Explorer helped me cover 100% of my data on 1 computer and 0% on the other.
I noticed both infections taking place when the computers were grinding to a halt and I opened task manager and saw 20 applications of Google Drive. Avoid Google Chrome at all costs - it seems to be the encryption conduit.
If you recover from Shadow explore, make sure the date you choose isn't during the infection or you could export the malware again.
After you re-build, wipe your computer clean. Security Scanner found and quarantined the malware but never really removed it based on a shadow explorer session showing it again.
McAfee did nothing to prevent this.
Don't think for a minute if this happens to you that it won't happen again. I did a thorough analysis on web traffic and tracked it to my kid going on their school website to download homework. Still doing detective work on the exact website/file/email but getting close.

Anonymous said...

same as all of you guys... got hit by CW2.0 and now none of my files are usable. Couple of silly questions (sorry, Im not a tech savy guy)

-Do they copy the encrypted files?

-Do I need to replace my IP address? they indentified already.

-should I trash my old desktop?

Anonymous said...

I got hit by Cryptowall 2.0 two days ago. They've asked me 1.5 bitcoins (~$450) and although the affected files are not critical, they are my files…!!! I am not going to pay one single dime to these criminals, they can shove my whole office up to their ^%$#... I encourage you don’t pay criminals like these, that only helps them to keep growing.
Now if anyone knows how to recover encrypted files, I will be glad to pay for their help but I will never pay a fu..ing ransom..!!
Also any ideas on how to help authorities to help track these bastards will be helpful. LET'S UNITE AND FIGHT AGAINST CYBERCRIME!!!

jthelw said...

I have it, too and I think it wiped the data off a SD card on my computer - no ransom message, just gone! To make matters worse, the infection reappears each time I turn the computer on again, even though it has been cleaned with Malwarebytes and/or Microsoft Security Scanner. I won't pay ransom but I would be willing to pay a reputable person to recover my files. I would be interested to know how people think they got infected. For me, I opened an email allegedly from UPS Quantum view telling me about a delivery attempt (I was legitimately awaiting a package). Now I'm completely paranoid about opening anything.

Anonymous said...

Was able to recover many files following these directions. Mid file recovery using the shadow explorer my previous backup points all disappeared. Not sure what I can do now and not sure it's actually off my computer. I'm thinking it's time to start unplugging my internet cables when I'm not online.

Anonymous said...

Where did you buy the Bitcoin from? I am having the same issue trying to find a reputable Bitcoin source

Anonymous said...

This really sucks. I got a "Rango" virus first, restored and kept working as this decrypt_instruction infiltrated. So depressed. All my photos from 5 years, work from two jobs from five years. My flash drive was in computer so I am screwed. I am studying for a board test that cost me $600 and I am ouy$160 on computer.ni do not want to pay $500 or $1000 with no guarantee:(( Need to get out of bed, so depressed:((

joe khouri said...

Hard lesson learned, I will always back up my files going forward...I lost everything, photos of my 2 year old since he was born, videos, everything. I'm so upset I could strange someone, I've spent the last week or so attempting to repair this and have called every computer repair shop in Cleveland and nothing. I refuse to pay the ransom, mostly because I don't trust they will make good on giving me the key...hoping this gets Microsoft's attention and they invest some money into figuring out how to restore the files. A local IT/computer repair store told me that up to 60,000 people in the Cleveland, Ohio area have been affected by CryptoWall...this is criminal, and very serious. Really it ruined my life.

Anonymous said...

RakhniDecryptor.exe perfect!!!! Thank you!! Congratulations for web page!

Anonymous said...

Does anyone know if Crypto 2.0 has attached to any Mac computers? I have a god friend who received the $500 ransom virus. Interestingly, she DID have an external drive backup and she DID backup regularly. She was on a PC, Windows 7. The virus actually got into the EXTERNAL DRIVE as well. So even her backup files were shot. I had no idea anything could get into the external drives. That freaked me out So the back up thing is still not the best solution.

Anonymous said...

Got CrypoWalled and ended up having to pay the ransom. Looks like my security settings were changed somehow and I can't download the decrypt key. Message comes up saying Malicious Link was blocked. Doesn't matter what browser I use or when I disable firewall/anti-virus.

Anonymous said...

Really annoyed to get Cryptowalled today. I was expecting a mail parcel delivery and had received an email notification this morning of today's pending delivery. I then received another email a very short time later that looked to be associated with the parcel delivery - unfortunately this was bogus, but the timing of this was uncanny. Should have been paying more attention, as I can normally spot these things.
My backup drive was plugged in at the time, so both PC files and backup drive encrypted. Luckily I have an old backup drive with most of my life's photos and business files etc and I was able to rescue some files that I'd attached to emails in the recent past (these somehow weren't affected so it may be worth people's time to try this). Some files I won't get back, but I will not pay the ransom to these criminals ($598AUD). Lesson learned is to have at least 2 or 3 backup options (which I have now put in place) and keep one of these offline/off network. Scumbags.

Anonymous said...

We have paid the ransom on one client and we were able to get all files.

Anonymous said...

I too was hit with the Cryptowall 2.0 on 11/7 downloading an update to Java! There was a check box I didn't see to uncheck and it came with it. I have read on a couple other sites trying to figure out what had happened. The only thing I did different was update Java and looked at Google Chrome for a browser. Although I didn't download Chrome, a couple of hours later I started seeing the Chrome button flashing on my screen. It wasn't in my Programs. This is when I seen flashing of my screen which I knew to shut down everything. I had a packed out PC with 4G maxed out-----ALL GONE! Over 100K in pictures! No previous version option is available..... Will Shadow work?

Admin said...

Just give it a try. Shadow Explorer might not help in every single case but you won't lose anything by running it.

Anonymous said...

Lessoned learned I didn't back up. But they are important to me. I can't figure out how to get bitcions

Anonymous said...

Hi, I am not a technical person in the slightest so please consider this when you reply.
I ran a virus check on my laptop today and it had 7 trogan viruses. i removed them and now when i try to open any documents saved on my it comes up with a Decrypt instructions... (i have no idea what that means)
The instructions tells me to download and install Tor-browsers and enter a private key... is this also a virus??
its my husbands laptop with his university documentations on so really want to get it all back but also do not want to try and download and install software if it will cause any harm... Any advice is appreciated! thanks

Admin said...

First of all, download and run Shadow Explorer (download link above, step #2). It's a safe program, so no worries. It may find copies of encrypted documents on your husband's laptop and restore them. If Shadow Explorer didn't help then ask your husband maybe he stores copies of those file somewhere else. You see, the problem is that even though the virus is gone, you removed it successfully from the system, the documents remain encrypted you won't be able to open unless you pay the ransom or have backups.

Robert Brown said...

Way to stop this is to put TOR and others who make you anonymous on the internet out of business... Or make them have ID for the user so if they commit a crime then they can be found. IMHO... If you are trying to hide something then more than likely you are up to no good...

Kevin Dondrea said...

I too say NEVER pay the EXTORTION. It is not a ransom it is nothing more than EXTORTION. I'm in IT and just spent 5 hours of work time trying to fix this problem. I've had good luck with SuperAntiSpyware. I've turned people from Malwarebytes to SuperAntiSpyware. But I've found that a combination of SuperAntiSpyware and Malwarebytes is a great combo. Only download these from sites like FileHippo and MajorGeeks.com. I don't even recommend people downloading them from Malwarebytes website due to the companies that Spoof their site. Also your best bet for AntiVirus is Avast. I have never been infected using Avast. They have tried but failed. It even detects a website trying to execute a malicious code. This is the #1 method of infection in my opinion. Despite what some IT people say, "You do NOT need to click on a virus for it to infect you. These websites do it more than you know. #2 the writer of this article has earned his or her wings. This is an A1 article. Thank you. I'm going to download these tools to see if it helps on the PC I'm working on. Not sure but also in my opinion, I don't know if I trust the people who said they paid. They may be honest but I just don't know.

Paul Johnson said...

Has anyone confirmed exactly what type of encryption algorithm is used with CrytoWall 2.0? I know the extortion note states RSA-2048; however, is it really this? Is there any website that someone can download the CryptoWall 2.0 decrypter program and/or has a private key they purchased from the site? Is there anywhere to find this ransomeware so one can infect their own virtual machine (don't try this without parental assistance).

Admin said...

@Paul Johnson: It uses RSA-2048, that's confirmed. There is no website or service that can send you your private key and decrypt program other than the TOR web page shown in the decryption message. Samples can be found on various malware honeypots and forums like kernelmode.

Nicolette said...

I got "Cryptowalled" on Monday. I'm happy my pics were backed up by Google plus but not in full size. Still a minor issue as I almost never print them anyway. However, ALL my freggin files are gone and I downloaded the Shadow Explorer and those files are visible and can export them but they won't open. I get an error message that the files are corrupt. I also get a C:drive error when I try to do a system restore and the point that I tried to restore from disappeared. I never opened the ransom because I already know what this is but is this a more advanced one? Fire Eye was able to get everyone's data from the CryptoLocker jerks so I guess I just have to hold out for a miracle in this case too. I encourage everyone who was a victim to go onto the FBI website and report this. Although they may never contact us one by one maybe a huge amount of victims will help catch them faster. All of my files are going to be backed up on a hard drive, monthly flash drives, one drive, google drive, google pics....etc. Im backing up my backups. This was a sick lesson but it won't happen again.

BTW...I saw a Decryption_instructions in my dropbox folder. Does that mean drobpox can be infected too?

Anonymous said...

My computer is also affected. All pictures and music gone. I cleaned with malwarebytes. I suspect chrome to be the gateway for this crypto wall virus. I can not install shadow explorer. I get an error message. My laptop was not set for file history recovery. My photo's on dropbox is also encrypted

Anonymous said...

We were backing up our files and had a restore point. We ran the anti virus and it seemed it removed it. Then, the next morning we wake up to our screen saver being gone and replaced with Your files have been encrypted. We went through the process again, but there was not a restore point available, even though we back up regularly. It's as if it erased our back ups and restore points. We don't know what to do.

Anonymous said...

I have removed the Cryptowall 2.0 version from a system that had everything backed up to Dropbox. Since the dropbox folder sits on C: those files got encrypted/synced as well... BUT since Dropbox allows you to roll back to previous versions of the files I was able to revert all encrypted files to right before they were encrypted. I'm not sure about other cloud storage apps, but if some of your affected files are on a cloud provider, you should definitely check if they can be "rolled back".

Anonymous said...

Our company was attacked on Dec 13, 2015. Someone’s PC had it running in the back round and couldn’t get attached to the network computer. Since I am good with computers, he asked for my help. I mapped the network drive and that’s when it went after the network computer. Someone said they had a problem getting into a file. I ran some directory checks. I saw a directory that had files that could not be read. I went back to the person that was having trouble and disconnected him from the network. that’s when the message came up. When I disconnected it, it looked like it got pissed. We restored the files from the cloud an hour from when I connected him to the network… problem solved. I would like to know what I could do to help in going after this group of people that are doing this.

Anonymous said...

Hi ,

I had the same crypto virus and tried shadow explorer wll not help
And also all the PST file were affected

heres what you can do Right click on the infected folder you get an option restore previous options and click on it you will get an option or a date apart from the date when the files were infected select the previous date and click on restore and store the file on an external HDD as the cryptowall is impossible to be removed .

Reinsatall OS

This helped for me , cheers

Anonymous said...

My "ransom" message said RSA-2048 using Cryptowall 3.0! Ransom amount now is #1,000. Do you know if the steps mentioned above will also work with version 3.0? Also I think Google Chrome must be some gateway because I rarely used it until last week when IE started acting up and crashing. I did not have this encryption until after I had to use Google Chrome.
Good Luck Everyone in retrieving your files.
Laura

ericb31 said...

i have just been bit by the 3.0 version. i have not attempted your suggested removal methods yet, but i thought i should mention this: i was playing a java game called "eldevin" on the website Kongregate.com, when a message popped up saying "windows registry" wanted access. i said no, but it popped up several more times, then i made the mistake of clicking yes. this slipped past my Avast antivirus.

bert onderweegs said...

Hi, just (yesterday) found out that i was hit by version 3.0. Tried kaspersky and running spy hunter. Crypto files are not recognised as hazard. Laptop is under corporate McAfee. No way to protect or track the intrusion. As most of you : I had two hdd attached, all blocked. Not happy.so nothing else than kick some butts about recovery, protection and backup. Company policy: you are not allowed to do any restore on your laptop.

Anonymous said...

I was hit with crypto yesterday. It not only wiped my pictures downloaded on the computer, but also an SD card that was in my computer was wiped. Never leave your memory devices in your computer, lesson learned. I will not pay a ransom! Most of the pics I lost were saved on another SD card and are safe.

Anonymous said...

Some picture files can be recovered by opening them with photoshop,then re-saving them again. This will change the attributes back to normal.It is a pain because u have to do one at a time,but is the only thing I found that works so far. I jerks that write these virus need a good s--- kicking.

Anonymous said...

I got hit with the virus about 5 days ago. I'm from the US but am in Australia on a 3 week vacation. It encrypted everything on the computer and the SD card of photos that was in the laptop at the time. I didn't want to lose a week's worth of photos (as well as all kinds of work I had been doing), I paid the money. It was a big hassle trying to buy bitcoins while I was in Australia (luckily my stepdaughter back in the states helped out). I got the decypter yesterday. It's been slowly decrypting things (takes a Long time). I've got all of my photos back and work documents. None of my programs are working yet as I still have to decrypt whatever they did there (e.g. computer doesn't recognize that I have registered Word, Excel, etc).
I never download suspicious files and such and have no clue how I got this. It was an expensive lesson to (1) not leave an SD card in a laptop overnight and (2) do some type of cloud backup even when you are on vacation.

MartyMcFlly said...

Hello,

I was successfully using ShadowExplorer to export old versions of my files, and then suddenly the explorer went blank and now it looks like there are no shadow-copies to explore. Any thoughts?

Anonymous said...

I got hit today with Cryptowall 3.0, but since they didn't get anything really worth getting, they can keep whatever data they got. I'll keep my money. Besides, I do not negotiate. Ever.

Anonymous said...

Because they are also reading all these workarounds, they are finding ways to foil them. I'm not techno-savvy, but I suspect that's why shadow explorer went blank during exporting.
I got hit with this CW a little over a week ago. Not paying ransom; most of my files are nice to know; not need to know, but am only worried about some prior year tax returns; i.e. SSN (?)
I need a new computer anyway due to the XP issue on an outdated computer model, thereby can't have Windows 7 or 8. So will probably keep the old computer (if my computer store can re-install my WORD,Excel, etc.) and just use it offline/off internet, AND shop for a NEW AntiVirus provider for the new one!

Anonymous said...

The hackers Anonymous should take all the CryptoWall 2 and 3 ransom servers offline after they publish all the encryption keys. That would be an awesome thing for Anonymous to do.

Anonymous said...

Any new updates to decrypt files?

Anonymous said...

I have been hit as well today. Any new fixes??

Admin said...

No, there's still no way to decrypt the files.

rocky said...

any new way to fix the decrypt the files

Admin said...

Not yet, rocky.

sam gipple said...

Got his yesterday. Only thing I need off the computer is several years of pictures. When I go to My Pictures, they are all encrypted. When I opened Photoshop, all of the pic were there, but I am unable to copy them the message says "searching for missing file" and nothing comes up. Any suggestions on how I can save the pics that are on Photoshop but are encrypted elsewhere. Thanks Sam