CryptoWall is the latest strain of ransomware to rise to prominence, extorting more than $1 million from victims and wreaking havoc on thousands of police departments, businesses, and individuals across the globe.
On the surface, CryptoWall is similar to its better-known predecessor Cryptolocker, another strain of crypto-ransomware. But there are many differences.
Victims are typically infected with CryptoWall by opening a malicious email attachment, though drive-by-downloads on websites are also possible. The email attachments are often zip files that contain executables disguised as PDFs.
Once infected, CryptoWall scans all mapped drives and encrypts important files. That’s an important distinction: CryptoWall will scan your local drives, but also any server mapped drives, such as an S: or N: drive.
A text file then opens to explain the situation: The victim’s files are encrypted and a ransom must be paid to unlock them. The ransom is typically $500 in Bitcoins, which will double if not paid within seven days.
Threat of a different color
A few features of CryptoWall 2.0 highlight the growing sophistication of ransomware.
CryptoWall infection begins with a “dropper” that enters the user’s system. The dropper first checks whether it is operating in a virtual environment before downloading and installing the core malware files. If a virtual environment is detected, the download and installation do not occur.
Critical parts of CryptoWall arrive with multiple layers of encryption. This is to avoid detection by security products.
CryptoWall uses an anonymous network for its command-and-control communication. This makes it harder to find and shut down the ransomware’s servers.
How to remove CryptoWall
CryptoWall removal is typically not a challenge. A simple scan with an up -to-date antivirus program can handle it in minutes.
The real challenge is how to decrypt files once they are locked. Even after the malware is removed, the files will remain encrypted. Unlocking them without a key is practically impossible.
Once files are locked, the only hope of unlocking them is to pay the ransom.
This is likely to work but it is far from guaranteed and we do not recommend it (feeding criminals just makes them worse).
A better idea is to remove the malware, delete the encrypted files, and restore them from backup if possible.
Preventing an infection
Explain to users the dangers and warning signs of phishing emails and suspicious attachments.
While it may be unpopular, ban through policy (and firewall changes) any personal use of the Internet on your business network.
Maintain backups of all important files both onsite and offsite. Test your backups regularly. Ensure they are configured to prevent backup of infected files.
(Image Source: iCLIPART)