Cryptowall 2.0 was seen in October 2014. Cryptowall 2.0 was delivered through malicious emails and from exploits.

The ransomware drops the instructions to decrypt and a warning in the following files as ransom notes:

• DECRYPT_INSTRUCTION.HTML
• DECRYPT_INSTRUCTION.TXT
• DECRYPT_INSTRUCTION.URL

Cryptowall 2.0 had the ability to securely delete files, which overcame the flaw present in Cryptowall 1.0.

Cryptowall created a unique bitcoin address for each of its victims, which was not there in CryptoLocker 1.0. The reason could be to track all victims who made payments, and those who did not.

CryptoLocker 2.0 could encrypt 146 types of file extension.

The servers hosting the payment website for the ransomware were hidden behind TOR networks.