CryptoWall is a family of file-encrypting ransomware analyzed by the Dell SecureWorks Counter Threat Unit (CTU). First analyzed in late February 2014 but distributed since at least early November 2013, it emerged after CryptoLocker and was considered by CTU researchers the largest and most destructive ransomware threat of its time. Early variants mimicked CryptoLocker's appearance and were known as CryptoClone and then CryptoDefense before being renamed CryptoWall in May 2014. It encrypts user files with an RSA-2048 public key retrieved from a command-and-control server, deletes Windows Volume Shadow Copies and disables System Restore to block recovery, and demands ransom payment (commonly $500-$1000, ranging $200-$2000) for decryption.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1486 T1071.003 T1490 T1027 T1083
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_CRYPTOWALL {
meta:
description = "Detects Cryptowall (ransomware)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "cryptowall" ascii wide nocase
$s2 = "cryptodefense" ascii wide nocase
$s3 = "cryptowall3" ascii wide nocase
$s4 = "cryptowall4" ascii wide nocase
$s5 = "win32.cryptowall" ascii wide nocase
$s6 = "crowti" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Cryptowall Activity
id: 86f0ae1f22be2af3f5867e1ca1838da5
status: experimental
description: Detects generic indicators of the cryptowall malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*cryptowall*"
- "*cryptodefense*"
- "*cryptowall3*"
- "*cryptowall4*"
- "*win32.cryptowall*"
- "*crowti*"
condition: selection
level: mediumCryptoWall is file-encrypting ransomware first analyzed by the Dell SecureWorks CTU in February 2014. It encrypts a victim's files and demands a ransom payment in exchange for the decryption key, and was regarded as the largest file-encrypting ransomware threat of its era.
According to the SecureWorks CTU analysis, CryptoWall spread through browser exploit kits, drive-by downloads, and malicious email attachments. From late March 2014 it was primarily distributed via the Cutwail spam botnet, often using the Upatre downloader, and later through links to legitimate cloud hosting providers pointing to ZIP archives containing the malware.
After contacting its command-and-control server, CryptoWall retrieves an RSA-2048 public key and uses it to directly encrypt targeted file types such as documents, images, and source code. Because RSA is computationally intensive, infected systems experience significant CPU load during encryption. Executables and DLLs are left untouched so the system remains usable.
CryptoWall runs 'vssadmin.exe Delete Shadows /All /Quiet' to remove Windows Volume Shadow Copies and modifies the registry to disable System Restore. Both actions are designed to prevent recovery of encrypted files without paying. It also encrypts files on removable, network, and mapped cloud drives, so locally connected backups can be encrypted too.
The SecureWorks CTU reported ransom demands ranging from $200 to $2,000, with $500 and $1,000 being the most common amounts. Larger ransoms were typically reserved for victims who did not pay within the allotted window (usually 4 to 7 days). The CTU discourages paying ransoms because it funds further cybercrime.
The SecureWorks CTU recommended blocking executable files and compressed archives containing executables at the email gateway, keeping operating systems, browsers, and plugins fully updated to limit exploit-kit compromises, restricting permissions on shared network drives, and regularly backing up data to offline 'cold' media, since CryptoWall encrypts attached and cloud-mapped backups.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/cryptowall.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.