Cryptowall Ransomware Threat

What Is CryptoWall and How To Protect Your Systems

Viruses and Malware infecting computers are a common occurrence these days, especially Malware.

Such a target-rich environment is precisely what a majority of malware thrives in. The more targets, the greater the chance of a pay off (or destruction) — whatever the motivation behind the malware, more is viewed as better than less.

This is why viruses like CryptoWall (and its predecessor, the now defunct CryptoLocker) are poised to strike consumers and enterprises equally very hard. With the internet as its distribution point, any and all Windows desktops that are not thoroughly protected will likely feel the pain of CryptoWall’s payload through either direct or indirect infection.

What is CryptoWall?

CryptoWall is classified as a Trojan horse, which is known for masking its viral payload through the guise of a seemingly non-threatening application or file. Its payload involves encrypting the files of infected computers in an effort to extract money for the decryption key.

CryptoWall and viruses similar to it are also known as “ransomware” in that the infection offers the end user a means with which to remove the threat and recover all their files in exchange for paying a ransom. After they pay, the user is allowed to download and run a file and/or application to cleanup the infection or, in this case, decrypt the encrypted files to return them back to a working state.

Where does it come from?

CryptoWall is most typically spread through email as an attachment and from infected websites that pass on the virus — also known as a drive-by download.

Additionally, CryptoWall has been linked to some ad sites that serve up advertising for many common websites users visit on a daily basis, further spreading its distribution.

How does it infect a computer?

The infection process, as stated previously, is pretty standard for a virus. However, once it gets a hold of the host computer, it begins by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS.

Next, the remote server will generate a random 2048-bit RSA key pair that’s associated with your computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions. As a copy is created, it’s encrypted using the public key, and the original file is deleted from the hard drive.

This process will continue until all the files matching the supported file types have been copied and encrypted. This includes files that are located on other drives, such as external drives and network shares — basically, any drive that’s assigned a drive letter will be added to the list. Also, cloud-based storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud as the files are changed.

Finally, once the encryption process has completed, CryptoWall will execute some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the virus stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.

Will I know if my computer is infected?

There are two telltale signs that indicate CryptoWall has compromised a host computer.

  • When attempting to open certain files, such as .doc, .xls or .pdf, for example, the files are launched with the correct program; however, data may be garbled or not properly displayed. Additionally, an error message may be accompanied when trying to open infected files.
  • The most common indication will be the appearance of three files at the root of every directory that contains files that were encrypted by CryptoWall.
    • DECRYPT_INSTRUCTION.txt
    • DECRYPT_INSTRUCTION.html
    • DECRYPT_INSTRUCTION.url

Clicking on any of these files left behind in the wake of CryptoWall’s infection will lead the end user to step-by-step instructions necessary to carry out the ransom payment.

The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD), and the countdown timer provides for a period of three days in which to get payment to the requestor.

After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) and the timer will provide a cutoff date and time. Usually, the timeframe is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.

What are my options if my computer is infected with CryptoWall?

 

After having confirmed infection with CryptoWall, the next step for the end user is to decide if they are willing to pay the ransom to get their data back, or if they’re not going to pay and lose access to their data altogether.

If deciding to pay the ransom, continue reading. If deciding not to pay the ransom, jump down to the next section for some helpful steps to take that may or may not allow you to recover your files.

Paying the ransom is an exercise in and of itself. Unfortunately, the ransom amount must be paid in Bitcoin, a digital currency that’s used to purchase goods and services, similar to US currency. However, due to its lack of regulation and general lack of acceptance, Bitcoin is a niche market and not as common as US currency.

I’ve decided not to pay the ransom. Can my files be recovered another way?

Perhaps out of principle, you feel you shouldn’t have to pay. Regardless of the reasons, there are a few things end users can do to see if their files are recoverable without paying. Just please do realize that this is a big IF, and most cases will result with loss of data for non-payment, while those who do pay within the time frame will be able to recover their data through the use of the provided private key and decrypter application.

With that disclaimer in place, the most effective method to recover your files is by using a backup. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files. If they are indeed on there and not infected, then you simply clean the infected computer of CryptoWall, and you’ll be able to reconnect the drive to restore your data.

If no backup — local or cloud-based — are available, then the only chance at file recovery will lay in the system restore. Since much of the CryptoWall virus is automated, there are times when a command can’t execute due to a system resource issue or hanging app. Though rare, in these cases, recovery may be possible by initiating a system restore to a time/date prior to the infection occurring. Note, this is the exception, not the rule on average — but each situation should be handled on a case-by-case basis.

Are there steps I can take to protect my computers?

Yes, there are. There are several steps that should be taken at all times, regardless of what the infection risk may be. You should have an active antivirus application installed with the latest virus definition files. You should also have a malware scanner, preferably with active scanning capabilities and updated with the latest definition files.

With your computer(s) protected, we move on to one of the biggest issues: Backup or — in some instances — lack thereof.  A proper backup system with preferably a local and cloud-based backup schedule will go above and beyond to protect your data. Even when the system itself is compromised, you can count on being able to restore your data, as needed.

Other considerations for protection include safe internet practices. Don’t visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites!

Leave a Reply

Your email address will not be published. Required fields are marked *