{
  "family": "cryptowall",
  "sample_count": 1,
  "category": "ransomware",
  "description": "CryptoWall is a family of file-encrypting ransomware analyzed by the Dell SecureWorks Counter Threat Unit (CTU). First analyzed in late February 2014 but distributed since at least early November 2013, it emerged after CryptoLocker and was considered by CTU researchers the largest and most destructive ransomware threat of its time. Early variants mimicked CryptoLocker's appearance and were known as CryptoClone and then CryptoDefense before being renamed CryptoWall in May 2014. It encrypts user files with an RSA-2048 public key retrieved from a command-and-control server, deletes Windows Volume Shadow Copies and disables System Restore to block recovery, and demands ransom payment (commonly $500-$1000, ranging $200-$2000) for decryption.",
  "cta": "Published by the SystemHelpdesk team.",
  "aliases": [
    "cryptodefense",
    "cryptowall3",
    "cryptowall4",
    "win32.cryptowall",
    "crowti"
  ],
  "enrichment_level": "curated_sourced",
  "faq": [
    {
      "@type": "Question",
      "name": "What is CryptoWall?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "CryptoWall is file-encrypting ransomware first analyzed by the Dell SecureWorks CTU in February 2014. It encrypts a victim's files and demands a ransom payment in exchange for the decryption key, and was regarded as the largest file-encrypting ransomware threat of its era."
      }
    },
    {
      "@type": "Question",
      "name": "How does CryptoWall spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "According to the SecureWorks CTU analysis, CryptoWall spread through browser exploit kits, drive-by downloads, and malicious email attachments. From late March 2014 it was primarily distributed via the Cutwail spam botnet, often using the Upatre downloader, and later through links to legitimate cloud hosting providers pointing to ZIP archives containing the malware."
      }
    },
    {
      "@type": "Question",
      "name": "How does CryptoWall encrypt files?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "After contacting its command-and-control server, CryptoWall retrieves an RSA-2048 public key and uses it to directly encrypt targeted file types such as documents, images, and source code. Because RSA is computationally intensive, infected systems experience significant CPU load during encryption. Executables and DLLs are left untouched so the system remains usable."
      }
    },
    {
      "@type": "Question",
      "name": "Why can't victims simply restore their files?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "CryptoWall runs 'vssadmin.exe Delete Shadows /All /Quiet' to remove Windows Volume Shadow Copies and modifies the registry to disable System Restore. Both actions are designed to prevent recovery of encrypted files without paying. It also encrypts files on removable, network, and mapped cloud drives, so locally connected backups can be encrypted too."
      }
    },
    {
      "@type": "Question",
      "name": "How much ransom did CryptoWall demand?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "The SecureWorks CTU reported ransom demands ranging from $200 to $2,000, with $500 and $1,000 being the most common amounts. Larger ransoms were typically reserved for victims who did not pay within the allotted window (usually 4 to 7 days). The CTU discourages paying ransoms because it funds further cybercrime."
      }
    },
    {
      "@type": "Question",
      "name": "What measures help reduce exposure to CryptoWall?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "The SecureWorks CTU recommended blocking executable files and compressed archives containing executables at the email gateway, keeping operating systems, browsers, and plugins fully updated to limit exploit-kit compromises, restricting permissions on shared network drives, and regularly backing up data to offline 'cold' media, since CryptoWall encrypts attached and cloud-mapped backups."
      }
    }
  ],
  "faq_count": 6,
  "mitre_attack": [
    "T1486",
    "T1071.003",
    "T1490",
    "T1027",
    "T1083"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-06-10",
  "sources": [
    {
      "name": "Sophos / Dell SecureWorks CTU: CryptoWall Ransomware Threat Analysis",
      "url": "https://www.sophos.com/en-us/research/cryptowall-ransomware"
    }
  ]
}