cryptowall Archives

CryptoWall: Advanced Ransom Malware

Securitycryptowall, malware, securityOphtek, LLC

May 2015

CryptoWall 3.0, a new variant of the Cryptolocker ransom-ware virus is out causing problems to many businesses. Learn how it works and how to prevent it.

Discovered in late February 2015, CryptoWall 3.0 works very much like the previous versions of this virus, however its strategy to infect systems is somewhat different..

How CryptoWall 3.0 works

When the infected file containing CryptoWall 3.0 is opened, the malicious program encrypts all files that it finds mapped over the network.
Files become encrypted and unreadable.
Only the perpetrator can unlock the code to make it readable again.
Once it finishes encrypting all files, it asks for a ransom of around $500USD.
This amount is expected to be paid in Bitcoin currency, which is a universal currency used around the world.

Point of entry and identification

CryptoWall 3.0 employs social engineering tactics via phishing emails. These come through with attachments disguised as an “incoming fax report” displaying the same domain as the one the user is on creating a false sense of trust by making them believe it is a legitimate document. Once opened, Cryptowall picks up all mapped drives identified from the host machine it infects and encrypts all of the contents on it as well as the data on the mapped drives.

CryptoWall 3.0 uses .chm attachments, which is a type of compressed file used for user manuals within software applications. Since .chm is an extension of HTML, this allows the files to be very interactive with different types of media such as images, hyperlinked table of contents and so forth. It also uses JavaScript to allow the attack to send users to any website on the Internet, which occurs when a user opens up the malicious .chm file.
Once the file is opened, the attack automatically runs its course.

CryptoWall: More than meets the eye

Ransom Malware bas been evolving since the first wave of Cryptolocker attacks back in September 2013, which had netted the virus writers over $27,000,000 from claiming ransom money within only a few months of the Cryptolocker operation. Attacks are happening all over the world with detections in Europe, the UK, the US and in Australia.
The sophisticated Cryptolocker and CryptoWall attacks also use botnets, which is a wide network of compromised machines, to be the originators of the attack. Aside from speeding up distribution of the virus, it allows anonymity for the virus writers.

How to prevent CryptoWall 3.0

Set up a rule in your email filters to black list .chm file extensions.
Stay on top of your backups with daily backups which are verified and tested- also have an offline copy of your backups.
Update your office applications baseline such as Java, Adobe Flash player etc…
Patch any vulnerabilities on Windows systems, especially on all Servers.
Be sure to have the latest Anti-Malware signatures.

For more ways to stay protected and safeguard your network, contact your local IT professionals.

Protect Your Data from Being Taken Hostage

Network, Securitybitcoin, cryptowall, virusOphtek, LLC

Nov 2014

Cryptowall can bring your business to a screeching halt. Here is how you can protect yourself against what’s becoming the most malicious malware of 2014.

You don’t need to end up in trouble. We’ve outlined some very important guidelines on what to do to avoid an attack like Cryptowall and Cryptodefense:

Scan any email attachments that land on your email account– especially PDF attachments, which can be disguised as either payments, invoices, receipts, complaints and so forth. This is generally how this Trojan enters the system.
Avoid clicking on any advertisements– not only does this attack happen through attachments, they have also been identified through infected banners on different web pages. Avoid clicking on them at all costs!
Avoid mapping drives directly to servers– For any person with administrator rights, if you’re working from your computer, aim to use remote access tools as needed. This will help reduce risk to the servers directly.
Lock down admin users– assign user accounts by name, so that if an attack happened, the user’s account can be frozen to avoid its credentials being for further used for unauthorized installations.
Verify Backups– a backup is only good if it’s one that can be restored. Test your backups regularly.
Off-site or offline backups– having these will reduce the chances of suffering from a single point of failure due to such an attack. Please note that mapping Dropbox on your computer can still make it subject to this attack.
Whitelisting approved software– you can find tools and systems that can help you with these. You can specify what can run on any system on the network.
Utilize Windows Group or Local Policy Editor – Software Restriction Policies can be created to stop executable files from running on any given path.
Have a Bitcoin account set up in case nothing else works. Being prepared can help you save time.

Here’s what you can do if you find yourself compromised:

Update your AV definition files and scan your system with it -It may not remove the Trojan, but it can remove other nasty programs that it may have allowed to run.
Isolate– do this on the affected workstations and disable user accounts involved ( especially if it has admin rights), as mentioned previously.
Restoring files– use your backups, Shadow Volume Copies or any other file recovering tool available to you.
As a last resort -if all else fails, you may need to pay the ransom. A support file is provided within the given website from the infection. It would indeed be a hard lesson learnt!

Like they say, prevention is better than a cure.

For more ways to protect yourself and your business from malicious attacks, contact your local IT professionals.

Cryptowall Becoming The Most Destructive Malware of 2014

Network, Office IT, Securitycryptowall, malware, securityOphtek, LLC

Nov 2014

Cryptowall, Cryptolocker and Cryptodefence; all malware looking to hold your computer ransom. Here’s what you need to know about these viruses.

Cryptowall is one of the worst malwares out there that can maliciously encrypt your network and system files, holding them ransom in exchange for a Bitcoin payment. Typical Bitcoin payments can vary between $500 to $1000. Since there’s many hacker groups in existence in the wilderness, Cryptowall has evolved from Cryptolocker to practically do the same thing. And to confuse matters even more, there’s another variant like Cryptowall known as Cryptodefense.

The ransom message from a Cryptowall infection

Cryptowall in a nutshell

Cryptowall works by using encryption to change all of your network files, making them unreadable.
It affects Windows XP to Windows 8 Operating Systems.
It also cleverly deletes Shadow Volume Copies to stop any admins from restoring encrypted files.
Only the attacker holds the key to decrypt the files that makes them readable again.
The ransom increases after 7 days to nearly double the amount and is only payable with Bitcoin.

With this angle of attack, it’s no wonder why hackers are using this hostile method to forcibly siphon Bitcoin payment from their prey.

Examples of attacks

Durham Police

One prime example that has gained recent media coverage is Durham town police in New Hampshire. As a typical response from any law enforcement agency, the police refused to pay the ransom to cooperate with the cyber criminals.
It had impacted 1500 of their own computers, with most of their police e-mail system, spreadsheets and word processing functions being affected. It had bypassed their spam and AV filters, and was masked as an attachment in an email.
The danger lies in that the police receive plenty of emails with attachments to notify them of complaints such as potholes from residents, which of course, aren’t to be ignored. For this very reason an infected email attachment was opened, executed and it ran through the system.
Fortunately for them, they were able to stop the attack from spreading to other company functions and police networks in other towns by isolating their network and recouping their system from offline back-ups.

Business Decisions

Another example of an attack came from a client of Stu Sjourwerman’s security training firm knowB4. The attack happened after an administrator opened an infected file, which ran through onto their 7 mapped server drives, encrypting all 75 GB of data held there.

There were many negative factors against them:

Firstly, they had unverified backups, which would take time to see whether they worked or not, a risk which would be costly to the time in terms of extended downtime with no guarantee of a successful restore.
Secondly, setting up a Bitcoin account involves a lengthy process to set up with society checks that can take days to complete.
In desperation with shortening their downtime, they decided to pay the ransom. It was a business decision, meaning either losing out $500 in Bitcoin or thousands for operation downtime.
The problem was, they didn’t have the Bitcoin to pay the ransom.

The turning point:

Luckily, they had sought Stu Sjourwerman’s help, where he had Bitcoins at hand, ready for such an event like this one.
This company’s IT admins had, prior to this event, taken a security awareness course lead by ex- hacker Kevin Mitnick and with Stu Sjourwerman.
Contrary to the police case, this company had taken the advice from the course, and with Stu Sjourwerman’s Bitcoins, they managed to pay the ransom to avoid further downtime.
In the end they did recover their files; however there was corruption to one of their databases, which all in all took another painstaking 18 hours to return to normal.

Not all cases end well and not all ransoms release the files as promised. It’s really at the discretion the criminal cyber gangs controlling the attack.

For more ways to strengthen your office security and IT policy enforcement, contact your local IT professionals.

Tag Archives: cryptowall