CryptoWall/Locker (Ransom Ware)

CryptoWall/Locker (Ransom Ware)

Viruses infecting computers has become a very common phenomenon, sooner or later it is going to happen, it’s not if, but when. Over time, the more devices that require the internet, the more variety of malware that will be developed.

This is why viruses such as CryptoWall (a variant of its predecessor CryptoLocker) thrive, the virus is pushed out in mass to everyone and everything in quantity and the most common is via email or infected websites looking for “Drive By” internet traffic. No computer is thoroughly protected and could be damaged by this virus directly or indirectly.

Below are some common questions and answers for this type of virus.

What is CryptoWall?

CryptoWall is considered a Trojan horse, which disguises its payload with programs or files that seem non-threatening or may even be considered to be common everyday programs or files. The payload encrypts the files of an infected computer and from that infected computer has the possibility to reach out to any shared files the infected computer has access to. The virus also creates an encryption key that can be used to decrypt the encrypted files that is kept on a server somewhere out on the internet that supposedly is released after paying the ransom fee to get your files back.

How does it infect a computer?

The infection process is pretty standard for all viruses and is not doing anything unique to get itself on a computer. It usually starts by making a network connection to random servers out on the internet uploading information such as Public IP address, location, and system information along with Operating System.

The remote server will generate a Random 2048-bit RSA key pair that is associated with the infected computer. It copies the public key to the computer and begins the process of copying each file. As the copies are created, it is encrypted by using the public key and the original file is deleted from the computer. This process will complete once the virus has gone through all files on its list of file extensions to encrypt.

Once the process is complete it will stop the local Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is a service that controls the backup and restoration of data on a computer. This is done by the virus to make it difficult to try and restore any data.

How will I know if I get the Infection?

There are a couple of signs that will jump out right away if you have this type of infection.

  1. When you attempt to open an encrypted file, it will most likely open with the correct corresponding program for the type of file and all of the data will look garbled and alien
  2. The most common sign will be the appearance of 3 files inside of every folder that is infected such as below.
      DECRYPT_INSTRUCTION.txt

      DECRYPT_INSTRUCTION.HTML

      DECRYPT_INSTRUCTION.url

Clicking on the above files usually leads the user to step-by-step instructions for completing the ransom payment to get your data back.

What are your options when infected?

The options when infected are to restore your data from backup. Or to pay the ransom fee (NOT RECOMMENDED), there is NO guarantee if you pay that you will be able to obtain the encryption key to decrypt all of your data.

What are some steps to help protect myself?

  1. Make sure your computer has a current Anti-Virus Program installed with all of the latest updates.
  2. Make sure ALL of your data is being backed up, you can only lose what is not backed up.
  3. Safe internet practices. Don’t click links in emails, or open questionable email attachments that looks suspicious even if they are from a legitimate contact, don’t visit questionable websites, and do not provide personal information in chat rooms, forum discussion boards, or social media sites.

Be aware there are viruses out there that can cause catastrophic damage to your personal or business data. As of now this type of virus is the thorn in everyone’s side and it is ever evolving and very difficult to protect against, once CryptoWall is stopped, there will most likely be newer and nastier version that will be developed. Below is a link to a story of a hospital that was hit hard with this type of virus, and again, I do not recommend ever paying a ransom but rather restoring the data from a good backup.

Written by

JoRey Stephens
IT Engineer
Alexssa


Click here to read "Hospital pays bitcoin ransom after malware attack"

http://money.cnn.com/