eBayWall Ransomware virus - How to remove

It looks like someone really hates eBay because ransomware called eBayWall was detected last week. Cyber security expert Jakub Kroustek posted it on Twitter.

eBayWall detected

eBayWall is not your average ransomware virus – it is quite strange and unusual. One of the strangest traits is that it does not ask for the ransom. Instead of that, cyber criminals are blackmailing eBay to get a ransom of 200 000 Monero coins. Monero is a relatively new cryptocurrency (similar to Bitcoins) and at the current exchange rate it is worth about $44 for every Monero coin, so the total amount of 200 000 Monero coins would stack up to $9M.

The philosophy behind this ransomware is to bring attention to the security of eBay platform. Company is making a decent money, yet fails to invest to the security and according to the creator of eBayWall ransomware, the system is vulnerable and not save to use. He dedicated a lot of time and effort to create a message where he explained why you should avoid using eBay. If your computer is infected, a file called ‘ebay-msg.html’ will be stored on your desktop. It contains this message:

Welcome to ebaywall!
Many of your files were locked because of gross negligence.

This is about very weak security… So, to set the stage, quite a bit of back story is necessary:

The internet is extremely large and full of very expensive and very dangerous tools. I am at the internet at least six days a week; I know who is coming and going and what they are working on. When the internet police is not in the way, I unlock certain power tools to give the other users supervised access to what could potentially be very dangerous machinery. I do have a certain level of authority – I can kick people out of the internet, report them for tool-misuse, and effectively prevent them from passing their internet classes.

This story refers to a coder in one of the ebay sites and his monkey:

One night, fairly late, I hear some holes making a noise in the general kijiji.ca area of the internet. I head that way to check it out – the noise sounded like someone was in a big hurry, which is a red flag that they might hurt someone with the tools.

I get there and see a poor, tiny coder sitting on a stool while his monkey fiddles with his project. The coder is supposed to be using PHP code to make a bot blocker. Easy, easy project. I check them out from a distance, see no safety violations as they are just setting up, and return to my own studio to do some work.

Now, bot blockers are fairly safe; the worst thing is that they slightly annoy you. But, bot blockers can also cause undefined behavior and oil can be flung at your face; I have a tiny scar on my forehead from the same project four years ago. At a minimum, I require coders to wear idiot-proof safety gloves while coding bot blockers.

After about 5 minutes, I go to check up on them again. The monkey has effectively taken over the coder’s project and is doing it for him. While that is a violation of the professional honesty code, this story concerns the safety violations and the massive butthurt when I told him to fix them. The monkey is coding some thin digits, his code INCHES from the extremely hot spaghetti zone.

Everyone who takes a coding class is given lengthy hacking demonstrations and are required to sign forms to confirm that they understand what is required in order to use the tools. No form – no tools. The poor coder’s monkey technically wasn’t even supposed to use the tools and the coder knew. The poor coder also knew that they were both required to wearing safety gloves.

Despite knowing the rules, some people get miffed when I ask them to do something; after all, I am just another coder and can be younger than the people I’m giving directions to. But I am paid to tell people to be safe. So, request 1 is always very low-key and polite.

“Hey ya’ll, could you please put on your safety gloves? Thanks!” And then I walk out of the room, giving them opportunity to fix the mistake. When I return a few minutes later, the coder – who isn’t even coding – is wearing his safety gloves. The status of the monkey hasn’t changed at all. So, request 2 is little more firm as I walk towards them to indicate that I’m not leaving until he put them on.

“Hi, please put on your safety gloves.”

The monkey looks up at me and says, “Oh, I’m almost done.”

That doesn’t fly. So, I crank up the firm politeness, “Sir, you have to wear safety gloves while coding.”

Then he says, “Well, I don’t have any, I’ll only be a minute.”

Now, I’ve heard this a lot. This is why I have The Bucket. I say cheerfully, “No worries, I have plenty.” Before I turn to retrieve The Bucket of forgotten, stinking, and dirty safety gloves, I reach over and pull the computer’s cord out of the power outlet. While smiling. I can feel the monkey radiating off of his as he give me the side eye.

When I return with The Bucket, I see that he has plugged the computer back in and is back to work. Now, I’m mad. Yes, he is twice my age, but I’m not about to have an idiot endanger others on my watch. The coder’s face is beat-red and I can see his shoulders inching up as he hunches over in embarrassment.

I set The Bucket on the table, and start pulling out safety gloves. I personally have three pairs in pristine condition that I loan out to coders, but not to this monkey. I’m looking for a particularly nasty pair, covered in dirt and grime from the bottom of The Bucket. He can see me sorting through the gloves, some pairs that are better than others in my hands. I find the perfectly stinky pair and hand them to him, “Here you go!”

Upon seeing my choice selection, the monkey decides to argue with me: “I don’t understand why I have to wear these. This will only take a second.” After hearing my safety spiel, he goes for the big no-no: “Who are you to tell me that I have to do anything?”

Stone. Cold. Silence. From the monkey and the poor peanut gallery coder. After a few moments of a staring contest, I continue:

“You have the same three options as THE CODERS in this internet. You can follow the safety rules, you can leave, or you can stay and continue to code without following my directions. If you stay and code without safety gloves, I will report you and your coder. Your coder will lose tool-access, which is a privilege, and he will fail out of the internet because he will not be able to complete the bot blocker. Neither of you will be allowed in this internet again.”


Information security is somewhere at or below the bottom of their list of concerns, it is viewed as a byproduct of the business process and given relatively little thought or protection. The purpose of ebay isn’t the technology. The purpose is the money. The technology is the tool. They are merely focused on the quarterly “number”. Vision and long term strategy are definitely secondary to “the number”.

ebay made USD 9 billion last year, and yet it only spent USD 2 billion. Too much greed, not enough investment. You don’t have to be an economist to get it.

Sillicon Valley is often criticized for breeding cult like mentality, so it’s not that surprising. It’s one of those weird areas that prefers to be messed up on any point of day. Extreme wealth and suburban banality are huge around there which generally means shitty coders. They are beholden to the cult they chose to become a part of, and in the process they became convinced they could run shitty apps. I would really like all these types to move away and take their fellow reprobate fools with them.

I thought shit like this only happened in badly written soap operas. F*** this company who deems safety as optional. ebaywall is giving ebay the finger. ebaywall has risen up to demand an end to current negligence.

First, let me say thank you to all of the users who downloaded ebaywall. People are watching, so I want to make sure I get this right. The main cause for the hacks are due to the lack of proper security measures. I’m locking these files to bring the attention to internet users to show how important is to have a proper app at the internet. Hacking ebay outright is not a matter I take lightly. It is not a good “first step”. Right now there are only a handful of ebay sites which are neglected, but there is a concern that a blanket overlooking on such sites could potentially endanger a large number of people. Users may not even be aware of the issue. By going the route of hacking, I not only make money, but I also hope that making the issue visible will do more to spread awareness than would sweeping it under the rug. The hacking here is very valuable to me, and I really appreciate not only the money that this generates, but also the visibility it provides to the issue.

It will require user assistance to maintain a list of phone numbers which will receive angry calls. Please message ebay with angry content, or call its numbers. It is ultimately the job of my users to make an informed decision about what constitutes low-quality negligence, and to act according to their own individual set of values.

After looking into the details, I think there may be a cause of action against ebay for most users in this position. When customers signed up for an account, the Terms of Service created a binding legal contract. In any case, there may be a claim against ebay in negligence, because ebay breached a duty of care to you by failing to securely protect users.

In case you have no time or interest to read a text that is such long, the main point is that eBay is making billions of profits every year and is too greedy to invest enough money to the security of the platform, thus this ransomware virus was created to bing the attention. It might be that the virus was developed and released by someone who is either woking on eBay or really upset by the services provided by this company.

If you were unlucky enough and eBayWall virus found a way to your computer, all your files will be labeled with additional appendix ‘.ebay’. We have no information what kind of cryptography is used by this infection, but regardless of that, you will be not able to open your files.

eBayWall Ransomware virus remove

Since eBayWall Ransomware virus is not requiring ransom from users, there are no ways to get back your files, unless you have a backup copy of your hard drive. If you do, just perform a system restore and set back your computer to the date that is previous to the infection.

The fact that this infection found a way to infect your computer, is a clear indicator that there are flaws in your system and other infections can take advantage of it. Don’t risk your cyber security – download reliable anti-malware application, such as Spyhunter and make sure that your computer is protected.

How to recover eBayWall Ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before eBayWall Ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of eBayWall Ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to eBayWall Ransomware virus. You can check other tools here.  

Step 3. Restore eBayWall Ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually eBayWall Ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover eBayWall Ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

Leave a Reply

Your email address will not be published. Required fields are marked *