Delete CloudSword Ransomware and Recover Your Encoded File

CloudSword Ransomware – Basic Informations

 

Another cryptomalware is found in the wild using the name CloudSword Ransomware and targeting English and Chinese-speaking Windows users in order to collect ransom while keep file decryption key as hostage. The ransom displays a ransom note ‘Warning警告.html’ containing threatening message that you have violated the Digital Millennium Copyright Act, though, as a punishment your saved files have been encrypted. Afterwards, the attackers (Developers of CloudSword Ransomware) offer you to purchase decryption key at a high price within 5 days. They also make clear that if you don’t pay off ransom, then after five days unlock key (aka private key or decryption password) will be automatically deleted from the server permanently.

Furthermore, you should know that analysis on CloudSword Ransomware was performed on January 22nd 2017. Since, the ransomware is very new, there is no free decryption tool released by security researchers. Though, decrypting your files without a per-PC based decryption key is nearly impossible. However, you can recover your files using Data Recovery Software or using System Restore Point. But first, we suggest you to gather useful information by reading the article to an end. Hence, it makes sure that in future you don’t repeat the same mistake again.

Highlights of CloudSword Ransomware Infection

  • First of all, you should know that CloudSword Ransomware is delivered to your computer through redirected links, suggesting you to install ‘Windows Update.exe’. The same malicious file would arrive on your computer as a spam email attachments file or drive by downloads while visiting Torrents sites or adult dating sites. When you double click ‘Windows Update.exe’, your computer gets infiltrated by cloudsword.exe. Cloudsword.exe is the installer of CloudSword Ransomware and its components to carry on attacks.
  • Second of all, CloudSword Ransomware only targeted English and Chinese-speaking computer users who are using Windows operating system. Though, Mac or Linux-based operating system users are safe for now. But may be in future, an improved variant of the ransomware will target these two as well.
  • Lastly, CloudSword Ransomware is developers using the HiddenTear project platform, though to encode your files it make use of combined and customized AES and RSA encryption algorithms. So that, decryption of the corrupted files become nearly impossible. Even, paying off ransom and waiting for decryption key is not a good idea as well. Only you can do is to utilize alternative techniques to recover your files or wait until a free decryptor is released by security investigators.

Security experts’ suggestion

In order to prevent such infection, you should keep an Antivirus software installed and up-to-date on your computer. Most importantly, you should not total rely on demo or trial version security software when it comes to safety of your critical data and privacy. As of now, kindly! Follow the CloudSword Ransomware removal procedures before restoring your files:

A Tutorial Video For CloudSword Ransomware Removal Guide

Free Scan your Windows PC to detect CloudSword Ransomware

rmv-notice

 

Remove CloudSword Ransomware From Your PC

Step 1: Remove CloudSword Ransomware in Safe Mode with Command Prompt

  • First of all disconnect your PC with network connection.
  • Click restart button and keep pressing F8 key regularly while system restart.

F8-keyboard

  • You will see “Windows Advanced Options Menu” on your computer screen.

Windows Advanced Options Menu

  • Select “Safe Mode with Command Prompt” and press Enter key.

safe mode with command promt

  • You must login your computer with Administrator account for full privilege.

daver

  • Once the Command Prompt appears then type rstrui.exe and press Enter

picture6

  • Now follow the prompts on your screen to complete system restore.

Step 2: Remove CloudSword Ransomware using MSConfig in Safe Mode:

  • Power off your computer and restart again.
  • While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.

F8-keyboard

  • Use the arrow keys to select “Safe Mode” option and press Enter key.

Safe mode

  • Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.

msconfig01

  • Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

  • Disable all the malicious entries and save the changes.
  • Now restart your computer normally.

Step 3 : Kill Malicious Process Related To CloudSword Ransomware

  • Press Alt+Ctrl+Del buttons together.

ctrl+alt+del

  • It will open the Task manager on your screen.
  • Go to Process Tab and find CloudSword Ransomware related process.
  • Click the End Process Now button to stop the running process.

Step 4 : Remove CloudSword Ransomware Virus From Registry Entry

  • Press “Windows + R” key together to open Run Box.

Win+R

  • Type “regedit” and click OK button.

Type-regedit-to-open-registry

  • Find and remove CloudSword Ransomware related entries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Now hopefully you have completely removed the CloudSword Ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.

Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the CloudSword Ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.

freescan1

If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.

footer-1

Skip to toolbar