So i got the pleasure of meeting this wonderful virus today while at work. I would sat this is one that beat me, i was only able to reformat to remove. i can say i tried everything though, every application from www.Bleepingcomputer.com and most AV scans i could find.
So what is CryptoWall?
CryptoWall is a file-encrypting ransomware program that was released around the end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. The media is commonly confusing CryptoWall with the CryptoLocker infection, when it is much more similar to the CryptoDefense ransomware. The most apparent similarity being that CryptoWall's Decryption Service is almost identical to the one for CryptoDefense. In October 2014, the malware developers released a new version of CryptoWall called CryptoWall 2.0.
When you are first infected with CryptoWall it will scan your computer for data files and "encrypt" them using RSA encryption so they are no longer able to be opened. Once the infection has encrypted the files on your computer drives it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. The ransom cost starts at $500 USD and after 7days goes up to $1,000. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user.
CryptoWall Ransom Note
CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files either in the %AppData% or %Temp% folders. Once infected the installer will start to scan your computer's drives for data files that it will encrypt. When the infection is scanning your computer it will scan all drive letters on your computer including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer it will be scanned for data files by CryptoWall.
When CryptoWall detects a supported data file it will encrypt it and then add the full path to the file as a value under the HKEY_CURRENT_USER\Software\
\CRYPTLIST Registry key. It will also create the DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.URL or INSTALL_TOR.URL if infected with CryptoWall 2.0, and DECRYPT_INSTRUCTION.HTML files in each folder that files were encrypted and in the Windows desktop. The DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML file contain information about what happened to your data and the DECRYPT_INSTRUCTION.URL is a browser shortcut to your assigned decryption page on the infection's decryption service, which is discussed later in this guide.
When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this because you can potentially use shadow volume copies to restore your encrypted files. The command that is run to clear the Shadow Volumes is:
"C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
Now that your computer's data has been fully encrypted, it will display the DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML files that was created on your Desktop. These files contain information about what has happened to your data and instructions on how to pay the ransom. In most cases, once CryptoWall launches this document it will remove the infection files from your computer as they are no longer necessary.
Information about CryptoWall 2.0
In October 2014 the malware developers released CryptoWall 2.0, which resolved some problems in the original version. These changes include developer run Web-to-TOR gateways, unique bitcoin addresses for each victim, and secure deletion of original unencrypted files. These changes are described below:
Unique bitcoin payment addresses - The original CryptoWall utilized the same bitcoin payment address for many of its victims. This allowed people to steal the payment transactions from other victim's payments and use them towards their own ransom payment. By utilizing unique payment addresses for each victim it is no longer possible to steal other people's ransom payments.
Developer run Web-to-TOR gateways - In the past, the CryptoWall developers were utilizing other organization's Web-to-TOR gateways so that victims could access their payment servers that are located on TOR. When these organizations discovered that CryptoWall was utilizing them, they blacklisted the CryptoWall payment servers so that could not be reached. To resolve this, the CryptoWall developers appear to have created their own gateways to TOR. These gateways are currently operating under the following domains: tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.
Secure deletion of original data files - When the CryptoWall originally encrypted a file it would simply delete the original version. This made it sometimes possible to use data recovery tools to restore the original unencrypted files. CryptoWall 2.0 now utilizes a secure deletion method that makes it no longer possible to recover your files via data recovery tools.
Sample of the txt file:
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.torsona.com/1hoxegs
2.https://paytordmbdekmizq.poltornik.com/1hoxegs
3.https://paytordmbdekmizq.dogotor.com/1hoxegs
4.https://paytordmbdekmizq.torforlove.com/1hoxegs
If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/1hoxegs
4.Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.torsona.com/1hoxegs
Your personal page (using TOR): paytordmbdekmizq.onion/1hoxegs
Your personal identification number (if you open the site (or TOR 's) directly): 1hoxegs
