What is CryptoWall?
CryptoWall is classified as a Trojan horse, which is known for masking its viral payload through the guise of a seemingly non-threatening application or file. Its payload involves encrypting the files of infected computers in an effort to extract money for the decryption key.
CryptoWall and viruses similar to it are also known as “ransomware” in that the infection offers the end user a means with which to remove the threat and recover all their files in exchange for paying a ransom. After they pay, the user is allowed to download and run a file and/or application to cleanup the infection or, in this case, decrypt the encrypted files to return them back to a working state.
Where does it come from?
Geographically speaking, that is unknown as of this writing. What is known regarding origins of infection is that CryptoWall is most typically spread through email as an attachment and from infected websites that pass on the virus — also known as a drive-by download.
Additionally, CryptoWall has been linked to some ad sites that serve up advertising for many common websites users visit on a daily basis, further spreading its distribution
How does it infect a computer?
The infection process, as stated previously, is pretty standard for a virus. However, once it gets a hold of the host computer, it begins by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS.
Next, the remote server will generate a random 2048-bit RSA key pair that’s associated with your computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions. As a copy is created, it’s encrypted using the public key, and the original file is deleted from the hard drive.
This process will continue until all the files matching the supported file types have been copied and encrypted. This includes files that are located on other drives, such as external drives and network shares — basically, any drive that’s assigned a drive letter will be added to the list. Also, cloud-based storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud as the files are changed. The automatic backup programs like Drop Box and One Drive will see that the local files have changed as they have been encrypted so it will automatically send the encrypted files offsite and there go your backup(s)
Finally, once the encryption process has completed, CryptoWall will execute some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the virus stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore. Then, CryptoWall simply deletes itself making it even more difficult to catch.
Will I know if my computer is infected?
There are two telltale signs that indicate CryptoWall has compromised a host computer.
When attempting to open certain files, such as .doc, .xls or .pdf, for example, the files are launched with the correct program; however, data may be garbled or not properly displayed. Additionally, an error message may be accompanied when trying to open infected files.
The most common indication will be the appearance of three files at the root of every directory that contains files that were encrypted by CryptoWall.
DECRYPT_INSTRUCTION.txt
DECRYPT_INSTRUCTION.html
DECRYPT_INSTRUCTION.url
Clicking on any of these files left behind in the wake of CryptoWall’s infection will lead the end user to step-by-step instructions necessary to carry out the ransom payment.
The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD), and the countdown timer provides for a period of three days in which to get payment to the requestor.
After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) and the timer will provide a cutoff date and time. Usually, the timeframe is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.
What are my options if my computer is infected with CryptoWall?
After having confirmed infection with CryptoWall, the next step for the end user is to decide if they are willing to pay the ransom to get their data back, or if they’re not going to pay and lose access to their data altogether.
Paying the ransom is an exercise in and of itself. Unfortunately, the ransom amount must be paid in Bitcoin, a digital currency that’s used to purchase goods and services, similar to US currency. However, due to its lack of regulation and general lack of acceptance, Bitcoin is a niche market and not as common as US currency.
Adding to the difficulty of procurement is that many exchanges that accept US currency for Bitcoins have limited purchases of larger Bitcoin amounts. There are also strengthened company policies that further restrict the accumulation of the necessary amount of Bitcoins to pay off the ransom. Many of these changes have come about as a direct result of the CryptoWall virus, with some exchanges known to cancel transactions and restrict accounts suspected of using their services to pay off the ransom. It’s definitely a Catch-22.
Though difficult, it’s still possible to open an account at an online exchange to begin funding the purchase of Bitcoins in order to pay the ransom in the time allotted. If neither time nor technology is on your side, another viable option is seeking out the services of an IT consultant with experience in this matter. They may be able to assist you in the overall recovery process of your data and may even be able to do so without incurring any penalty due to non-payment within the specified time frame.
Other Options?
Don’t just delete the encrypted files – save them somewhere for future decryption. In the recent past, government security experts have actually confiscated some of the Crypto servers and after working with them, they’ve been able to provide end users with the necessary decrypt codes and information to restore their lost data. Not a guarantee but still a possibility in the future.
Viruses, regardless of whether they’re attacking your files or stealing your banking credentials, are nuisances. We all need to contend with them as our connected lives stretch further out.
While there may be little recourse once infected, there are a lot of possibilities available to limit our exposure to infection and subsequent loss of data. We just need to be proactive enough to ensure that these fail-safes are in place and check on them from time to time.
As the old saying goes, “An ounce of prevention is worth a pound of cure” – Ben Franklin