Share via

How can I remove encryption from Cryptowall 3.0 from my PC and all of my PC's files?

Anonymous
2015-03-21T11:43:45+00:00

So my PC has been infected with ransomware RSA-2048.  It has encrypted every single file on my PC, effectively preventing me from opening any document, photo, or file I've stored on any type of drive including Cloud drives live OneDrive (Microsoft SkyDrive) and iCloud.  I have downloaded Windows Defender and begun that process and I have also tried restoring my computer to a previous restore point in time and that did not work either.  Every single file folder contains four files from the ransomware, an HTML file, a TXT file, a PNG file and an Internet shortcut file that contains a message from the perpetrators.  Below I've copied and pasted what is in the TXT file which includes directions about how to pay the ransom, which I'm not doing.  The filenames are all alike and are HELP_DECRYPT.TXT.  I have already tried Crilock.  Please help me get my computer back!

THIS IS THE MESSAGE I RECEIVED:

What happened to your files ?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.

More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA\_(cryptosystem)

What does this mean ?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,

it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1.http://paytoc4gtpn5czl2.torconnectpaycom

2.http://paytoc4gtpn5czl2.torwalletpaycom

3.http://paytoc4gtpn5czl2.walterwhitepaycom

4.http://paytoc4gtpn5czl2.rossulbrichtpaycom/

If for some reasons the addresses are not available, follow these steps:

1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 

2.After a successful installation, run the browser and wait for initialization.

3.Type in the address bar: paytoc4gtpn5czl2.onion/

4.Follow the instructions on the site.

IMPORTANT INFORMATION:

Your personal page: http://paytoc4gtpn5czl2.torconnectpaycom

Your personal page (using TOR): paytoc4gtpn5czl2.onion

Your personal identification number (if you open the site (or TOR 's) directly):

[Original title: How can I remove encryption from ransomware RSA-2048 from my PC and all of my PC's files?]

<Removed PII>

Windows for home | Previous Windows versions | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2015-06-02T11:36:16+00:00

    See: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

    Copy/Paste of part of above link:

    CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

    By Lawrence Abrams on July 10, 2014 @ 02:11 PM

    Table of Contents

    1. What is CryptoWall?
    2. Information about CryptoWall 2.0
    3. Information about CryptoWall 3.0
    4. What should you do when you discover your computer is infected with CryptoWall?
    5. Is it possible to decrypt files encrypted by CryptoWall?
    6. How to find files that have been encrypted by CryptoWall
    7. CryptoWall and Network Shares
    8. How to restore files encrypted by CryptoWall
    9. How to restore files encrypted by CryptoWall using Shadow Volume Copies
    10. How to restore files that have been encrypted on DropBox folders
    11. The CryptoWall Decryption Service
    12. Will paying the ransom actually decrypt your files?
    13. How to prevent your computer from becoming infected by CryptoWall
    14. How to allow specific applications to run when using Software Restriction Policies

    30+ people found this answer helpful.
    0 comments

16 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2015-06-02T07:29:36+00:00

    Hello, have you found the solution?

    10+ people found this answer helpful.
    0 comments
  2. quietman7 MVP Alumni 19,735 Reputation points Volunteer Moderator
    2015-06-02T22:49:01+00:00

    What type of crypto ransomware are you dealing with?

    Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

    Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

    These are some examples.

    HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG

    HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt

    HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt

    DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL

    These are common locations malicious executables may be found:

    %Temp%

    %AppData%

    %LocalAppData%

    %ProgramData%

    %WinDir%

    C:&lt;random>&lt;random>.exe

    0 comments
  3. Anonymous
    2015-06-02T21:23:04+00:00

    Hello, have you found the solution?

    Are you seeing the exact same ransom note as the one quoted above by the OP (misslake) of this thread?

    This thread is about a CryptoWall 3.0 infection which is fully described in the BC's CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ as quoted above by Jsssssssss.

    BC active support topics for CryptoWall are located here and here.

    If you have properly identified your crypto-ransomware infection is by same, we regret to advise that there have been no changes, at this time, regarding the possibility (by law enforcement authorities) to retrieve victims private keys from the malware's C&C, that would enable experts to develop and release a free tool to decrypt your original files.

    If you have unsuccessfully tried the methods outlined in the guide to restore your files, or couldn't restore them all, I would suggest you back them up on an external storage media (like an external HDD) and leave it be. Maybe a free solution is found (maybe not) in the near future... who knows!

    A free tool created by BC called 'ListCwall', shall prove to be of assistance for you to automate the finding and exporting the list of encrypted files from an infected computer. This tool will also allow you to backup the encrypted files to another location in the event that you want to archive the encrypted files and reformat the machine.

    Good Luck!

    0 comments
  4. Anonymous
    2015-03-21T14:14:00+00:00
    0 comments