Remove CryptoWall 3.0 ransomware and mitigate the file damage


While the individuals behind CryptoWall 3.0 virus remain pinned to the “most wanted” cybercriminals list, their infamous product has been up and running for months on end. Anyone who is unfortunate enough to fall victim to this nasty hoax isn’t very likely to know what RSA-2048 even means before the actual compromise gets through. The above term, however, denotes a popular crypto framework using 2048 bit-long keys. It’s this precise algorithm that CryptoWall 3.0 infection employs to make one’s personal files inaccessible. Because the decrypt key is stored in a remote place that’s controlled by the fraudsters, the user is restricted to the options that the intruders suggest: to pay the $500 ransom otherwise all critical data will be destroyed.

File encryption alert by CryptoWall 3.0

The previous version of this ransomware would provide its victims with a time span of five days to submit the money, however CryptoWall 3.0 features an extended deadline of seven days (168 hours), with contamination time being considered the starting point for the ominous countdown. Notwithstanding all the efforts invested by the leading antivirus labs, the attack proper is still hard to prevent due to complex obfuscation techniques that are leveraged to keep the payload from being intercepted. Sometimes the infestation commences with the user opening a seemingly innocuous PDF attachment in a suspicious email. Some of the more recent reports indicate that such powerful tools as exploit kits are also being encountered in the scammers’ distribution arsenal.

CryptoWall 3.0 instantly launches a scan in the background of the target system after the contamination takes place, looking for files with the extensions that can be conventionally tagged as personal. All hard drive volumes and inserted peripherals, such as USB memory sticks, will be automatically checked for sought information. As soon as the scan is completed, the ransomware encrypts the detected files with above-mentioned RSA-2048. It also adds several files named HELP_DECRYPT into every folder that contains encrypted data – those are ransom notes that come in a number of formats, including .PNG, .HTML, .URL, and .TXT.

An array of HELP_DECRYPT files added to a folder

Along with the disruptive file-level changes, the infected operating system undergoes a configuration-related interference as well. The malicious processes that underlie the malware get auto-triggered every time the user logs in to Windows. As a result, the HELP_DECRYPT files will be popping up at system launch and whenever a random folder with files gets opened. The details provided therein explain the essentials of the attack and instruct the victim on file restoration. According to said ransom notes, the user should visit the decryption page by clicking one of the indicated TOR (The Onion Router) gateway links.

Contents of HELP_DECRYPT file

Ultimately, it all comes down to paying the ransom in Bitcoins. Unless the money is submitted within the specified 168-hour deadline, the amount will become twice as big. It’s great if the user had been keeping up-to-date backups of their information, in which case the extortion can be ignored and bypassed, with virus removal alone being on the agenda. If no backups are in store and the victim is reluctant to actually pay, a couple of techniques can be applied to try and restore the information encrypted by CryptoWall 3.0. Again, be advised a complete fix is beyond eradication of the ransomware itself, because the files have yet to be reinstated.

CryptoWall 3.0 virus removal

As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers which represent another group of ransomware infections at large. The main challenge in regards to CryptoWall is getting personal files back without having to do what the fraudsters want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.

Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the instructions below step by step:

  1. Download and install HitmanPro.Alert
  2. Supports: Windows XP, Vista, 7, 8, 8.1, 10
  3. Open the program, click on the Scan computer button and wait for the scan to be completed
  4. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button

Now you’ve got both some good and bad news. On the one hand, CryptoWall 3.0 is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.

Restore encrypted files using Shadow Copies

As it has been mentioned above, despite successful removal of CryptoWall 3.0 the compromised files remain encrypted with the RSA-2048 algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.

Getting your files back using Previous Versions functionality


Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.

Restoring encrypted data with Shadow Explorer utility


Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.

Use automatic recovery software

It might sound surprising, but CryptoWall does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.

Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.

Bottom line

CryptoWall has outlived all competing ransomware frauds, with version 3.0 being particularly enduring and sophisticated. It poses a critical risk to one’s personal information therefore the main focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.


  1. This is a well written article all the way up to the point where you use shadow explorer. Part of the Cryptowall Virus variant 3.0 is a script that shuts down the VSS service and deletes all shadowcopies using the silent switch command. I have seen this happen personally on systems I am charged with protecting. The only way to recover is from an offsite backup.

    • Yes, backup, if any, makes the victim’s day for sure. The workaround involving data recovery software is worthwhile too, although it’s not nearly as effective.

      Thank you for the feedback!


Please enter your comment!
Please enter your name here