Due to the way the CryptoWall 3.0 Virus operates, it becomes difficult to detect it, even for some antivirus programs. When CryptoWall 3.0 is installed on your computer, it creates a random executable file the %AppData% (or %LocalAppData%) folder of your system registry.
The executable files will start scanning the system memory for data files to encrypt.
The CryptoWall 3.0 Virus is programmed to target files extension that are known for having high values, such as .xls, .pdf, .doc, and .docx,. However, the virus is exceptionally dangerous and it can target over 200 types of file extensions, some of which are mentioned below:
What makes CryptoWall 3.0 so hard to detect is that it does nothing to corrupt the files in your system. In the entire process, the virus only uses encryption, which is a normal technique to ensure data protection. As a result, many antivirus programs don’t associate the application with malware.
After finding the targeted files, the virus will then proceed to make copies of those files. However, these copies will not be mere duplicates of the original files. Instead, these files would be encrypted versions that are inaccessible to the user. Once encryption of these targeted files is completed, the virus will delete all the original files.
As the virus deletes these files one by one, it will create a text file containing a ransom note for the victim. Conventionally, the malware names this file as HELP_DECRYPT.txt and places it in each folder where a file has been encrypted.
To get the victim’s attention, the virus also changes the Windows desktop wallpaper to HELP_DECRYPT.html. Both ransom note and the wallpaper will contain information on how the victim can access the payment site.
Even here, the hackers maintain complete anonymity and the note enlists the URL of a TOR website. TOR websites are different from usual websites and are much more difficult to trace than traditional websites. Here, the victim will find out how much ransom they have to pay and how they can make the payment.