Cryptowall Ransomware—a New Kind of Threat

A Trojan is a type of virus that misrepresents itself as a document or a good program. Once you click on it, your computer is infected.  The most common way Trojans are delivered is via email. This is why you should NEVER click on email attachments you weren’t expecting or from recipients you don’t recognize.  One click and you can have a major issue.

A particularly nasty Trojan we’ve been seeing lately is called Cryptowall. It’s one of a class of Trojans called “ransomware” because they encrypt files on your hard drive and on mapped network drives, then force you to pay a ransom to generate a decryption key. The ransom varies by variant, but is usually between $200 – $2000.image2

The newer versions usually uninstall the actual virus before it starts the pop-ups.  The reason they do this now is the early versions someone figured out how to extract the decryption key from the virus and then was able to manually unencrypt files.  The simple thing for them to do was just uninstall it so we no longer have access to the decryption key.

Fortunately, removal of the virus itself is pretty straightforward.  Unfortunately, if you have any of the newer variants there is no way to manually decrypt the files. If you have a good backup solution, you’re in luck—don’t pay the ransom; just have your IT restore the files from backup and you’re back in business.

In the event that you don’t have a good backup or the virus manages to encrypt the drive with the backup, you do have the option to paimage1y the ransom.  This isn’t a simple thing but the malware authors “helpfully” walk you through it. The first step is to install the Tor deep web browser. Once you have that, you’ll get instructions for how to pay using Bitcoin. You’ll have to find someone who has Bitcoin to sell. Usually you’ll need to meet an actual person somewhere and pay them in cash, then watch them transfer the coins to the website.  It all seems extremely shady (because it is), but the steps are designed to make it very difficult to track by law enforcement.

At this point, you’re skeptical–there’s no way they would actually do the decrypt, right? You’ve already transferred the money; what incentive do they have to hold up their end, since you still don’t know anything about them?  Surprisingly, they do.  The point is to extort money, so they have been really consistent about following through after the ransom is paid.

Bottom line

You REALLY don’t want this virus.  Best case, you are going to be down for at most of the day while your IT restores from the last backup.  You will also lose anything you worked on from the last backup to when you were infected.  Worst case, if your files, either locally or on the server, aren’t backed up, you will have to choose between losing all of them or paying the ransom.

How to protect yourself

DON’T click on things you aren’t sure about.  If you have a question about a suspicious file in your email or an unusual popup on your computer, you should just assume it’s a virus and delete. If you really think it might be important and you have even a little question about it, contact a professional to take a look and tell you.  BUT . . . if you have to ask it’s almost always a virus.  It might not be Cryptowall, but even a less destructive virus will take at least 2 hours to be cleaned up from your PC, since it will have to be scanned multiple times with several tools.

More information

http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

Leave a Reply

Your email address will not be published. Required fields are marked *