Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, August 6, 2015

CryptoWall .aaa Extension Ransomware Removal Guide

Tell your friends:
A new variant of CryptoWall 3.0 ransomware not only encrypts your files but also appends .aaa after the original file name and extension, for example or This new variant also drops slight modified ransom notes restore_files_hprjq.html and restore_files_hprjq.txt files in each folder where at least one file has been encrypted.

What is CryptoWall ransomware?

There are a few different ways that CryptoWall 3.0 is spread. It may be attached as a file or link in an email or instant messenger chat. It can infect you via a drive by installation which is when you visit a website that was compromised by ransomware. Or you might have downloaded a program or app which was pre-infected. All of these methods are things that can affect each and every one of us, which is why you need to know what ransomware can do – and then take more care when you're online, whether you're checking email or downloading files.

What does CryptoWall do once it's infected your computer?

It isn't shy and retiring and it won't hide in the shadows, running on your PC without your knowledge while it does its damage. You will know pretty much straight away once you have been infected by it. Ransomware's trick is to kidnap your files so that you can't access them, and then demand that you pay a ransom to be given access to them again. The CryptoWall 3.0 usually encrypts the files and tells you it will send you a code to decrypt them once you have paid up. This particular variant also appends .aaa extension to the encrypted files and displays modified ransom note. Content of the restore_files_hprjq.txt ransom note:

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here:

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

But one of the scariest things about CryptoWall 3.0 ransomware is the way in which it presents its demands for money. First of all you'll be sent an email or shown a pop up window telling you that you've been caught looking at illicit web content or illegally downloading files, which is why you files have been locked. It will tell you that once you've paid a fine to atone for this misbehavior, your files will be unlocked, or you'll be sent the decryption code.

A word of warning: this is a scammer you are dealing with here and there are countless stories about people paying the ransom only to not hear another word and be left with encrypted and inaccessible files.

Protect yourself from ransomware

Do your best to avoid this stressful – and potentially expensive – scenario and install some reputable security software today. Also, backup your files at least once a week. Doing so will certainly safe you time, money and headaches.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .aaa. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing CryptoWall 3.0 ransomware and related malware:

Before restoring your files from shadow copies, make sure the CryptoWall is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by CryptoWall 3.0 virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.