Computer Store
-Collapse +Expand
Search Tech Group:

-Collapse +Expand Tech Store

Prestwood eMagazine

July Edition
Subscribe now! It's Free!
Enter your email:

   ► KBComputer TechSoftware   Print This    All Groups  
Tech Software:
The Shadow Lurks, But Relax - It is a Friend Not a Foe
Posted 29 months ago on 2/11/2018 and updated 9/16/2018
Take Away:

This article discusses a software utility called “ShadowExplorer” that could potentially, depending on the situation, recover many of your files that had been encrypted by the vicious ransomware, “Cryptowall”.


A few years ago, a customer called me about a problem he and his wife were having with their Windows desktop computer. After I arrived at their home to inspect what had happened, I discovered none of the documents in the user account folder could be successfully opened. Microsoft Word and Excel would not open documents with “.doc” and “.xls” file extensions as they normally would. I also saw there were a few Microsoft Notepad text documents on the desktop stating that files in the PC had been encrypted over and there were some instructions for recovering them. I wasn’t quite sure what to make of this, so I began to research it on the internet.

After a short while, I realized this PC had been struck by the vicious ransom ware known as “Cryptowall”. This diabolical curse was summoned from the bowels of hell, being released around April 2014 from what I have read courtesy of The demon malware scans your computer for data files and encrypts them with “RSA encryption” so they can no longer be opened by their counterpart application software. The previously mentioned Microsoft Notepad documents were instructions for accessing the “Cryptowall Decryption Service” so the defenseless victim can purchase a decryption program for 500 USD initially, then rising to 1,000 USD after 7 days. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user. It goes without saying that this is especially devastating to those who did not make back ups of their files to external media or a cloud based back up service. Unfortunately, that was the case here.

At this point, I had a sinking feeling that their documents would be lost forever unless the customer paid off the crooks. And if the customer did cough up the ransom money and then their “Cryptowall Decryption Service” turns out to be an illusion, then what? There had to be a better way. For the record, I’m no rookie at recovering lost data. I use data transfer cables to grab files and folders off crashed disks that won’t boot up all the time. I also use a data recovery program for retrieving files and folders from disk drives that can’t even appear as distinct drive letters when plugged into viable, functioning computers. But, this was a whole new challenge for me so I had to go back to the internet to hopefully find a way to get their files back.

So there I was scouring cyberspace for viable remedies for “Cryptowall”. I eventually came across a web page that said the “Volume Shadow Copy Service” of the computer may contain back ups of folders for certain dates. The article also went on to say that sometimes “Cryptowall” can wipe this out when it is infecting a PC. So maybe the “Volume Shadow Copy” was there and maybe it wasn’t…I had to give it a shot for the sake of the customer.

Next, I came across a free utility called “ShadowExplorer” that can recover selected folders from a “Volume Shadow Copy” for a specific date. You can download it from This program is really easy to use. After you have it installed, you just double click the program icon and a small dialog screen appears. In the upper left corner, you will see 2 drop downs. One for the drive letter on your disk and another for the date and time of the “Volume Shadow Copy” you will select. After making both these selections (typically C: for the drive letter), the folders for the selected “Volume Shadow Copy” appear in the right hand pane of the dialog screen. Now, highlight the folders you want recovered, right click the mouse and then click the “Export” option. Next, select the destination folder you want to restore selected folders from the right hand pane. Wait for the progress bar to finish and have your files and folders back!

As mentioned before, this won’t work if “Cryptowall” has nuked all of your “Volume Shadow Copy”. The best remedy by far is to make regular data back ups to external hard drives, flash drives, DVDs or the cloud. Then the ransom ware’s demand for payment will fall on deaf ears as it should.


Share a thought or comment...
Comment 1 of 1

Saving data from these things is important otherwise it will damage your whole date easily. You can pick a guide from which will help you to clean your computer easily.

Posted 9 days ago
Write a Comment...
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.

Anonymous Post (text-only, no HTML):

Enter your name and security key.

Your Name:
Security key = P136A1
Enter key:
Article Contributed By Douglas.M:

Please visit my software developer website for more information about my services. I offer application development as well as Android app coding services. My developer skills are best suited to dealing with custom software projects. I can perform programming for Corel Paradox as well as C# Sharp and PHP.

In my local area of northeast Ohio, I can cater to computer repair and "fix my computer" issues.

Use my contact web page today to reach me about any software design ideas you have.

Visit Profile

 KB Article #102833 Counter
Since 2/11/2018

©1995-2020 PrestwoodBoards  [Security & Privacy]
Professional IT Services: Coding | Websites | Computer Tech