CryptoWall ransomware has evolved since it first appeared in 2014. The newest strain of CryptoWall has new features that make it an even greater threat than previous versions.
What’s Different in this CryptoWall version?
CryptoWall is a form of malware that encrypts your files and demands a ransom in bitcoins for the key to decrypt them. The most significant new feature of CryptoWall 4.0 is that it not only encrypts your files, it also encrypts the file names! Since there is no structure in files anymore, this makes it impossible to identify the files that have been encrypted!
This new version of CryptoWall also has a new ransom note that is even more arrogant and mocking than the ransom notes delivered with previous versions. The note congratulates victims for becoming “part of [the] large community CryptoWall”. It warns that “using software to restore files can ruin your files forever, only through your fault.” In addition, it purports to not be “malicious or to intend to harm a person and his/her information data,” but rather for “instruction in the field of information security,” and for “certification of antivirus products for the suitability for data protection.” It even includes a self-assigned hashtag of #CyrptowallProject for social media.
A History of CryptoWall
While much less sophisticated ransomware first showed up in 2005, the first version of CryptoWall (which was initially called a CryptoLocker copycat) came out in early 2014. In October 2014, CryptoWall 2.0 added its own Web-to-TOR gateways (for victims to access the payment servers), unique Bitcoin addresses for each victim (so victims could not use other victims’ payment toward their own payment), and secure deletion of original unencrypted files (to ensure that data recovery tools could not restore the original unencrypted files).
In January 2015, CryptoWall 3.0 added new filenames for the ransom notes located in every folder in which a file was encrypted as well as in a startup folder that displays when the user logs in. It also added an increased ransom if the initial deadline was not met. In addition, new TOR gateways and an I2P network were also added (to conceal the identity of the attackers).
CryptoWall 4.0, just introduced on October 30, 2015, leaves “HELP_YOUR_FILES” .PNG files in affected directories. The addition of encrypted file names makes it difficult for researchers to do forensic data recovery.
How CryptoWall is Distributed
How CryptoWall Infects Your Computer
CryptoWall infects a computer by establishing a network connection to the attackers’ servers, where it uploads connection information including the IP address and system information including the OS. The server then generates a 2048-bit RSA key pair associated with the victim’s computer. That key is copied to the victim’s computer, the files are copied on the key’s list of supported file extensions, the copies are encrypted using the key, and the original files are deleted from the victim’s hard drive. Any drive in that computer’s network that is assigned a drive letter will be included in the list. (If your backup is attached to the network, it too will be encrypted!) In addition, CryptoWall executes commands to stop the Volume Shadow Copy Service (VSS) that runs on Windows to keep versions of documents, and then deletes the existing cache so that files can’t be recovered through versioning or system restore.
The attackers leave a ransom note that tells victims that they have encrypted the victims’ files and that provides instructions for the victim to pay a ransom in Bitcoins to recover the files. If the victims do not pay for the encryption key held on the attackers’ servers within the specified time period, the attackers will destroy the encryption key and make it impossible for the victims to recover their files.
What This Means for Your Company
As you can see, each version of CryptoWall is more threatening than the one before. Recently, the FBI advised victims to pay the ransom, since the encryption is so good that the FBI can’t help them to recover their data. The addition of encrypted file names in CyrtpoWall 4.0, which appeared after the FBI gave this advice, makes it impossible to even recognize the files. It is essential for your business to back up regularly, and to test the backups, because there is no guarantee that the criminals will provide decryption keys. There is also concern that paying the ransom encourages the attackers to create new ransomware campaigns, which just adds to the risks to your business.
Your company needs to take action to minimize the chance of being a victim and to prepare – just in case it is – to be able to restore its own data quickly, without dealing with the cyber-criminals. Preparing for a cyber-attack should be part of your IT Disaster Planning. In addition to making sure your systems are secure and restorable, it is essential to provide cyber-security training to all users at your company, including how to recognize phishing campaigns.
Big Idea Technology takes these essential steps to protect our clients. Call us to learn how to protect your company.