Cryptowall

Category: ransomware · Aliases: cryptodefense, cryptowall3, cryptowall4, win32.cryptowall, crowti · Sample count (EMBER 2018): 1 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

CryptoWall is a family of file-encrypting ransomware analyzed by the Dell SecureWorks Counter Threat Unit (CTU). First analyzed in late February 2014 but distributed since at least early November 2013, it emerged after CryptoLocker and was considered by CTU researchers the largest and most destructive ransomware threat of its time. Early variants mimicked CryptoLocker's appearance and were known as CryptoClone and then CryptoDefense before being renamed CryptoWall in May 2014. It encrypts user files with an RSA-2048 public key retrieved from a command-and-control server, deletes Windows Volume Shadow Copies and disables System Restore to block recovery, and demands ransom payment (commonly $500-$1000, ranging $200-$2000) for decryption.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1486 T1071.003 T1490 T1027 T1083

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_CRYPTOWALL {
    meta:
        description = "Detects Cryptowall (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "cryptowall" ascii wide nocase
        $s2 = "cryptodefense" ascii wide nocase
        $s3 = "cryptowall3" ascii wide nocase
        $s4 = "cryptowall4" ascii wide nocase
        $s5 = "win32.cryptowall" ascii wide nocase
        $s6 = "crowti" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Cryptowall Activity
id: 86f0ae1f22be2af3f5867e1ca1838da5
status: experimental
description: Detects generic indicators of the cryptowall malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*cryptowall*"
            - "*cryptodefense*"
            - "*cryptowall3*"
            - "*cryptowall4*"
            - "*win32.cryptowall*"
            - "*crowti*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is CryptoWall?

CryptoWall is file-encrypting ransomware first analyzed by the Dell SecureWorks CTU in February 2014. It encrypts a victim's files and demands a ransom payment in exchange for the decryption key, and was regarded as the largest file-encrypting ransomware threat of its era.

How does CryptoWall spread?

According to the SecureWorks CTU analysis, CryptoWall spread through browser exploit kits, drive-by downloads, and malicious email attachments. From late March 2014 it was primarily distributed via the Cutwail spam botnet, often using the Upatre downloader, and later through links to legitimate cloud hosting providers pointing to ZIP archives containing the malware.

How does CryptoWall encrypt files?

After contacting its command-and-control server, CryptoWall retrieves an RSA-2048 public key and uses it to directly encrypt targeted file types such as documents, images, and source code. Because RSA is computationally intensive, infected systems experience significant CPU load during encryption. Executables and DLLs are left untouched so the system remains usable.

Why can't victims simply restore their files?

CryptoWall runs 'vssadmin.exe Delete Shadows /All /Quiet' to remove Windows Volume Shadow Copies and modifies the registry to disable System Restore. Both actions are designed to prevent recovery of encrypted files without paying. It also encrypts files on removable, network, and mapped cloud drives, so locally connected backups can be encrypted too.

How much ransom did CryptoWall demand?

The SecureWorks CTU reported ransom demands ranging from $200 to $2,000, with $500 and $1,000 being the most common amounts. Larger ransoms were typically reserved for victims who did not pay within the allotted window (usually 4 to 7 days). The CTU discourages paying ransoms because it funds further cybercrime.

What measures help reduce exposure to CryptoWall?

The SecureWorks CTU recommended blocking executable files and compressed archives containing executables at the email gateway, keeping operating systems, browsers, and plugins fully updated to limit exploit-kit compromises, restricting permissions on shared network drives, and regularly backing up data to offline 'cold' media, since CryptoWall encrypts attached and cloud-mapped backups.

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/cryptowall.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.