Mar 23

CryptoWall, the Virus du Jour


Protect your data

Even tech-savvy computer users (especially those in the software industry!) will eventually suffer the effects of a virus. The latest threat is known as CryptoWall, and like many of its predecessors, it is a Trojan horse type virus.

As with most viruses, CyptoWall delivers its nasty payload via an email attachment or other non-threatening application or file or even website. Then it encrypts the files of infected machines and you have to pay for the decryption key if you want your files back in a usable state. This is one reason why this type of virus is also known as “ransomware.”

How does it work? 

The infection process, once it gets in your computer, establishes a network connection to random servers, where it uploads connection information like the public IP address, location, and system information, including OS.

Next, the remote server copies each file on its pre-determined list of supported file extensions. As a copy is created, it’s encrypted using the public key, and the original file is deleted from the hard drive.

This process continues until all the files matching the supported file types have been copied and encrypted. This includes files that are located on all the drives: external drives, network shares — basically, any drive that’s assigned a drive letter will be added to the list.

As if that wasn’t bad enough, any cloud-based storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud as the files are changed.

Finally, once the encryption process has completed, CryptoWall will execute some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified.

The command run by the virus stops the VSS backup service altogether, so that you can’t recover files that way, and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.

How do I know if my computer is infected?

There are two telltale signs that indicate CryptoWall has compromised a host computer:

  • When attempting to open certain files, such as .doc, .xls or .pdf, for example, the files are launched with the correct program; however, data may be garbled or not properly displayed. Additionally, an error message may appear when trying to open infected files.
  • The most common indication will be the appearance of three files at the root of every directory that contains files that were encrypted by CryptoWall.
    • txt
    • html
    • url

Clicking on any of these files left behind in the wake of CryptoWall’s infection will lead the end user to step-by-step instructions necessary to carry out the ransom payment.

The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD), and the countdown timer provides for a period of three days in which to get payment to the requestor.

After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) and the timer will provide a cutoff date and time. Usually, the timeframe is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.

So, then what are my options?

After having confirmed infection with CryptoWall, the next step for the end user is to decide if they are willing to pay the ransom to get their data back, or if they’re not going to pay and lose access to their data altogether.

If you decide to pay, you are required to navigate through a torturous procedure to obtain enough Bitcoins to satisfy the ransom. Yes, Bitcoins. That’s all the captors of your files will accept. As indicated, this is neither easy nor quick.

Can my files be recovered any other way than paying the ransom?

The most effective method to recover your files is by using a backup, either to an external drive or cloud-based. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files. If they are indeed on there and not infected, then you simply clean the infected computer of CryptoWall, and you’ll be able to reconnect the drive to restore your data.

If no backup — local or cloud-based — is available, then the only chance at file recovery will lay in the VSS, restore previous file versions, or system restore functions in the remote possibility that CryptoWall’s command to stop the VSS and clear the cache didn’t get carried out. Try initiating a system restore to a time/date prior to the infection occurring.

If it looks like you will be able to restore at least some of the files, remember to clean the computer first to get rid of any/all infections before trying to restore all your data.

Are there steps I can take to protect my computer?

Keep your antivirus and malware applications up to date with the latest virus definition files. And for heaven’s sake, back up your files using a proper backup system with preferably a local and a cloud-based backup.

Practice safe surfing. Don’t visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites!