CryptoWall 4.0 has the same installation characteristics and communication methods as previous versions. When communicating with the Command & Control Servers, CryptoWall 4.0 continues to use RC4 encryption It also continues to create a victim’s unique identifier from the MD5 hash of the computer’s computer name, volume serial number, processor information, and OS version. Like its predecessors, when installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair. It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives. Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.
Unfortunately, at this time there is no way to recover your files without restoring from a backup or paying the ransom which is not recommended.
If you need any help or would like to discuss this new version of CryptoWall,
Call Flat Gecko Design 0430 502 270
If you don’t have a backup of your machine, now is a good time to do so.