Oh No ! I have been infected by CryptoWall ! What should I do? - Part 2

In one our previous articles (Click here to know more), we introduced you to CryptoWall a malicious virus also known as ransomware, which “ransoms” and extorts money from innocent victims by forcing them to pay for a private key to decrypt the encrypted files on computers. Users of Windows 8, 7, Vista and XP can easily get infected with CryptoWall virus.

Once the Ransomware virus infection has been confirmed, the next step for the end users is consequently to decide if they are willing to pay the ransom to get their data back. The ransom amount must be paid in Bitcoin, a digital currency that is used to purchase goods and services, similar to US currency. However, due to its lack of regulation, and general lack of acceptance, Bitcoin is a niche market and not as common as US currency. In addition to the already complex procedure, many exchanges that accept US currency for Bitcoins have limited purchases of large Bitcoin amounts, and they are known to cancel transactions and to restrict accounts suspected of using their services to pay off the ransom.

Deciding not to pay is a fair argument, especially if the amount being requested is worth more than the actual value of the data. Regardless of the reasons, there are a few things that users can do to see if their files are recoverable without paying. The most effective method to recover your files is by using a backup. If your files have been regularly backed up, you just need to connect your backup drive to a non-infected computer to check your files. If they are indeed on there and not infected, then you simply need to clean the infected computer of Ransomware virus, and you will be able to reconnect the drive to restore your data.

If a cloud-based backup exists, depending on the service provider, you may be able to sanitize the computer before restoring your files from the cloud. However, some cloud services store a local copy of the data on the host, like for example Dropbox. In these cases, most of the cloud services offer file versioning as a form of added protection against file modifications made in error. By using this feature after sanitizing the computer, you should be able to rollback a file change to a date/time prior to the infection.

If no backup is available, then the only chance to recover the files will lay in the VSS, restore previous file versions, or system restore. Since much of the Ransomeware viruses is automated, there are times when a command cannot execute due to a system resource issue or hanging app. Though rare, in these cases, recovery may be possible by initiating a system restore to a time/date prior to the infection occurring. However, this is an exception, and each situation should be handled on a case-by-case basis.  

In case techical assistance is necessary, you can request our Disaster Revovery Guide:

I could not have written this article without the help of the following sources:

1. http://www.theguardian.com/technology/2014/jun/02/how-to-avoid-cryptolocker-ransomware-virus
2. http://www.tomshardware.com/news/cryptolocker-cryptowall-ransomware-malware-viruses,27576.html
3. http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/
4. http://www.scmagazine.com/cryptowall-surpasses-cryptolocker-in-infection-rates/article/368920/