In June 2014, the US Justice Department began a multinational campaign to eradicate CryptoLocker. Department officials then announced that they had managed to neutralize it. Unfortunately, their efforts may have been a case of too little, too late as two new versions appeared: CryptoDefense and the malware’s newest iteration, CryptoWall.
CryptoWall appears to have been derived from CryptoDefense, a shortlived and unsuccessful version. Unlike CryptoDefense, CryptoWall infected around 625,000 systems in six months according to an August 2014 report from Dell researchers. The report revealed CryptoWall encrypted 5.25 billion files and netted criminals over $1.1 million from March to August. CryptoWall’s reach is expected to grow. The analysts described it as the largest, most devastating ransomware threat on the Internet.
CryptoWall’s Modus Operandi
The ransomware typically enters a system by masquerading as a legitimate program update. Usually these programs are well-known, such as Java, Flash Player, or Adobe Reader. CryptoWall can also infiltrate a system through an infected email attachment.
Cyber security professionals have also warned about the criminals using exploit kits. This term refers to web pages with pre-packaged methods for sending malware. This means that in some cases, an ill-advised download is not necessary in order to spread CryptoWall. Victims can instead become infected just by visiting a website with a hidden exploit kit.
Once the system is infected, CryptoWall will begin encrypting its files. These protocols use twin encryption keys. The public key locks the files and the private one unlocks it. While this method may sound simple, it has been touted as nearly uncrackable.
Digital criminals have also developed offshoots of the basic CryptoWall virus. These new versions can infect mobile devices as well as personal computers.
After CryptoWall encrypts the system’s data, the ransomware will display a warning. This tells victims that their files have been “irrevocably changed,” and that they will not be able to work with them or even see them.
The ransom note demands that people pay several hundred dollars in order to free their files. Victims are directed to the Tor network, where payment can be received anonymously. They also face a ticking clock, since the criminals generally threaten to double the ransom if they do not pay within a few days.
Authorities’ Ongoing War Against Ransomware
As part of law enforcement’s crackdown on ransomware, the FBI in June 2014 put Evgeniy Mikhailovich Bogachev on its list of most wanted criminals. The authorities have accused him of committing bank fraud, wire fraud, computer fraud, money laundering, and aggravated identity theft. Bogachev is believed to be the man behind CryptoWall’s predecessor, CryptoLocker.
While the US government was shutting down his criminal network, a group of private cyber security professionals was hard at work on recovering the stolen data. In August, they announced that they had uncovered the encryption keys used to hijack people’s data. They also created a website where victims can receive the key needed to unlock their files.
While these efforts crippled CryptoLocker, they left CryptoWall unaffected. As of this publication, the ransomware is still at large and IT experts have yet to find a remedy for it. Thankfully, there are a number of ways that users can protect themselves.
Defense and Prevention
First and foremost, users should have current anti-virus software on their computers. In general, all software programs should be kept up-to-date with the latest security enhancements.
Suspicious websites should be avoided at all costs. Users should never open emails that appear suspect or were sent by entities that they don’t trust. Similarly, users should never download attachments that they’re not expecting. These statements may seem intuitive, but the spread of ransomware is driven almost entirely by the behavior of careless and unsuspecting victims.
Additionally, files should be backed up regularly. Ideally, one backup copy should be stored through a cloud-based service specifically geared to backup that backs up daily. A file-sharing service such as DropBox would not be considered adequate protection, as files in your DropBox or other service may be encrypted by CryptoWall if the shared folder is mapped to a specific drive letter on your computer.
The second backup should be on a network-attached storage device. However, be sure not to map a drive letter to where the backup is stored on the device, as CryptoWall will attempt to encrypt any data found via a drive letter mapping. The backup should therefore only be accessible via the share name where it resides on the device, and not by a drive letter. Users should update the backup copy on the device at least on a weekly basis, though daily would be ideal. Also, we advise not to use an external USB drive directly attached to your computer for your backup, as the data on the device will be susceptible to being encrypted by CryptoWall.
Once a computer has been infected, users should also be concerned about their networked devices, as drive-letter mapped network shares are vulnerable as we previously mentioned. CryptoWall victims have found that the malware can infect connected drives throughout the network, so users should therefore carefully examine these devices to see if they have been compromised as well.
Threats like CryptoWall pose serious challenges to businesses across the globe. Being aware of these issues is the first step in combating them. For assistance with the prevention of CryptoWall, or possible recovery, please do not hesitate to contact the Total Cover IT Team.