CryptoWall 4.0 (Removal Guide) - 2021 update

CryptoWall 4.0 Removal Guide

What is CryptoWall 4.0?

Similarities of CryptoWall and CryptoWall 4.0

CryptoWall 4.0 virus is the newest version of CryptoWall ransomware, which is deemed as one of the most destructive computer viruses of all times. Computer users must avoid downloading malicious CryptoWall related files at all costs because hardly anything can be done after such virus steps inside the computer system. Below is a list of similarities between the first and the fourth versions of CryptoWall:

  • Both versions spread via malicious spam emails.
  • Interesting fact: CryptoWall variants are created by Russian hackers; therefore, these viruses are designed not to target computers located in Ukraine, Belarus, Kazakhstan, and obviously, Russia. If the virus detects that computer user lives in one of these countries, it automatically destroys itself. If the victim does not live in one of these countries, the virus starts its malicious processes immediately.
  • If either the first or the fourth version of CryptoWall enters the computer system, it scans the entire computer system to find all personal user's files. CryptoWall viruses aim to find all data, no matter how valuable it is for the victim, and lock these files using particular encryption algorithms that are nearly impossible to crack.
  • After CryptoWall or CryptoWall 4.0 virus finishes the encryption process, it leaves ransom notes on several folders to inform the victim what needs to be done in order to recover the encrypted data.

Unfortunately, trusting cyber-criminals is something that we do not recommend you to do. If you don't want to lose your money, you should NOT pay it because there are thousands of people who decided to pay the ransom but didn't get the decryption key after sending money to hackers.

CryptoWall 4.0 virus

CryptoWall 4.0 is definitely one of the worst ransomware-type viruses. How does it work?

To begin with, let us explain what ransomware is. Ransomware is an extremely dangerous computer virus, which finds and encrypts victim's files stored on the computer and gives no “UNDO” option. In other words, there is hardly any chance to retrieve the files once such virus encrypts them. That is why it is vital to take precautions before such virus attacks the computer. CryptoWall, CryptoWall 2.0, CryptoWall 3.0 and CryptoWall 4.0 viruses are probably most infamous ransomware-type computer threats that have already affected thousands of computer users.

Ransomware viruses usually encrypt files with such extensions: .docx, .pdf, .txt, .img, .gif, .mp3, .mp4, .flv. Unfortunately, but the latest version of CryptoWall does not only encrypt the data; it can also rename the files. CryptoWall 4.0 replaces file names with random codes, which makes it hard to recognize which files were encrypted. It disables system restore and Windows Startup Repair functions and eliminates volume shadow copies. Unfortunately, many computer security programs cannot detect this malicious computer threat; it is professionally designed not to be detected by antivirus programs, and it can even avoid detection by the second generation enterprise firewall solutions. Moreover, CryptoWall 4.0 can contaminate the computer with additional malware; in other words, this virus can critically mess up the computer system.

CryptoWall 4.0 uses a complicated encryption technique – it encrypts files using AES cipher first, then it encrypts them using a more powerful RSA cipher. After this ransomware encrypts user's files, it drops ransom notes on each folder that contains encrypted data. Such messages can appear as .txt, .html, or .png files. For example:


These messages include such statements:

Cannot you find the files you need?
Is the content of the files that you have watched not readable?
It is normal because the files' names, as well as the data in your files have been encrypted.
You have become a part of large community CryptoWall.
For your attention, the software to decrypt the files (as well as the private key that come fitted with it) is a paid product.

As you can see, CryptoWall 4.0 ransomware explains that victim's files were encrypted. It even makes fun of the victim by saying “Congratulations.” Then it states that a software that decrypts files is a paid product, and user needs to buy it for 700 US dollars within 96 hours. Otherwise, the price will raise to 1400 US dollars. You should not believe such promises because there is no guarantee that the cyber criminals will do anything to decrypt your files.

How could CryptoWall 4.0 infect my computer?

  • CryptoWall 4.0, which is also known as HELP_YOUR_FILES virus, just like other versions of CryptoWall is spread via fraudulent e-mail letters. These letters commonly deliver a fake resume and encourage the victim to open it: “Hello, my name is […] attached is my resume! I would appreciate your cooperation on this matter.” This technique can easily deceive people who work in companies that are looking for new employees. Although your email service provider should automatically identify such email as infectious and filter it as Junk/Spam, there is a chance that your e-mail service may not filter it like that. However, you should never open emails from senders that you have never heard of. Such CryptoWall 4.0 e-mails include a text attachment (a fake resume), which is actually a JavaScript file. Once you open it, it downloads and executes the CryptoWall 4.0 virus onto your system.
  • CryptoWall 4.0 also spreads via malicious exploit kits (such as Nuclear exploit kit, and Angler exploit kit) which means that cyber-criminals tend to take advantage of outdated software on user's computers and exploit the vulnerabilities of it. Exploit kits are spread via iFrames, malvertising, and can be found on insecure web pages as well. For this reason, you should never browse through high-risk websites, click on suspicious web content, or download files or programs from questionable download sites.

If you do not want to experience data leakage and if you do not wish to lose your files, you should think of possible ways to secure your computer. We suggest you to install an anti-malware program, for example, FortectIntego. It can delete the CryptoWall 4.0 ransomware from your computer. However, once a ransomware encrypts files, it can be very hard or even not possible to recover them. Therefore, you should always keep a backup of your files on an external disk. To find detailed instructions how to remove CryptoWall 4.0, navigate to page 2.

How to remove this virus and fix my computer?

Speaking of ransomware, it is right to say that prevention is better than the cure. Unfortunately, it is nearly impossible to decrypt files after CryptoWall 4.0, or any other ransomware encrypts them; that is why we recommend you to take precautions and create extra copies of your files and move them to a safe place, ideally, to an external backup drive.
If you can see that all your files were renamed and that you cannot open them anymore, also if you have spotted files named as HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.PNG and similar names, it means that you have become a victim of CryptoWall 4.0 virus. This virus is categorized as ransomware which means that it seeks to make you pay a ransom in exchange for the decryption key that is needed to unlock the data. However, there is no guarantee that you will receive it after doing what hackers command you to do.

All removal instructions that should help you to fix your computer are provided below this article. Remember to be very cautious while browsing on the web – do not open suspicious e-mail attachments and do not surf through untrustworthy websites. There are a lot of cyber-criminals working hard these days, so be careful and do not become another cybercrime victim.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of CryptoWall 4.0. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove CryptoWall 4.0 using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CryptoWall 4.0. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that CryptoWall 4.0 removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CryptoWall 4.0 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

Removal guides in other languages