Cryptowall is ransomware that is mostly distributed through spam emails. However, malicious Ads, infected websites and other malware are also used to distribute it. A typical email contains a malicious attachment that contains the ransomware and a message that attempts to socially engineer the user in downloading the file. The subject of the email mostly uses the excuses of invoices, undelivered packaged goods, fax reports etc. Once the user clicks on the attachment, the ransomware is executed and all files are encrypted. Another striking feature about Cryptowall is the use of Rig exploit kit and Nuclear exploit kit to spread it.
In this article, we will discuss how to remove Cryptowall ransomware from your computer and get your files back from the encrypted forms.
The steps mentioned in this articles are however meant only for the Windows XP, Windows 7 and Windows 8.
Step1: Start your computer in Safe Mode
Windows 7 and Windows XP users need to start their computers in Safe Mode. The procedure for starting PC in safe mode for these two operating systems are:
- Your PC should be in Shutdown mode. If not, click Start on your Windows desktop and click Shutdown.
- Once your computer is shutdown, press the Power button to start it again.
- Repeatedly press F8 key on your keyboard while your system is starting.
- A Windows Advanced Option menu will open.
- Select Safe Mode with Networking from the list.
Windows 8 users also need to begin with Safe Mode. Following are the steps to start your Windows 8 based system in Safe Mode:
- Go to Start Screen and type Advanced.
- Select Settings and click on Advanced Startup Options.
- Click on Restart now button.
- Your PC will now restart with advanced options.
- Click Troubleshoot button and then click Advanced Options.
- Click Start up settings in Advanced options screen.
- Click Restart. Your system will now restart with Startup settings screen.
- Keep pressing F5 to boot in Safe Mode with Networking.
Step 2: Remove Cryptowall malware files
Now you need to login to the account that is infected by Cryptowall ransomware. Now you need to download an antivirus software and perform a complete system scan. Whatever entries are highlighted by the antivirus, act by removing all of them.
If you are unable to start your system in Safe Mode with Networking, you should try to perform a system restore. Some of the variants of this ransomware disable all means to start the system in Safe Mode.
Steps for performing System Restore:
- Restart your computer.
- During the starting process, keep repeatedly pressing F8 key on your keyboard. A Windows Advanced Options menu will appear.
- Select Safe Mode with Command Prompt and hit Enter.
- A Command Prompt mode will load. In the command prompt window enter cd restore and hit Enter key on your keyboard.
- Next, enter rstrui.exe and hit Enter keyboard.
- A new window will open. Click Next.
- Select one of the restore points and click Next.
- A new window will open. Click Yes.
- Download an antivirus software and scan your computer. Remove all the highlighted files.
Step 3: Decrypting Files
Once all the virus files have been eliminated from the computer, you can now proceed to decrypt the files. Try using Windows Previous Versions feature. However, this feature will work only if System Restore was enabled on the infected system. Also infections by some of the variants of Cryptowall disable this feature and hence it may now work.
To restore a file using Windows Previous Versions:
- Right click on a file and select Properties.
- Select Previous Versions.
- Select the Restore Point and click Restore. If the file has no restore point, then it will not show any.
You can also use the tool Shadow Explorer to decrypt the files encrypted by CryptoWall.