What is CryptoWall?
CryptoWall is a type of malware called "Ransomware." Ransomware prevents you from using your computer, and demands that a ransom be paid to restore to you the function of your computer. In the case of CryptoWall, CryptoDefense, and CryptoLocker, they have gone one step further: They encrypt your documents using 2048 bit encryption, which is unbreakable without the de-encrypt code. CryptoWall will encrypt any document it can reach, including those stored on network shared drives, if it can write to the shared drive. CryptoWall encrypts all kinds of documents: Adobe Acrobat (.pdf), MS Office (.doc, .docx, .xls, .ppt, etc.), Intuit QuickBooks, tax and accounting files, images (.bmp, .jpg, .gif, etc.), text documents (.txt) and more. If you try to open one of these files after encryption, you will be told that the documents are either corrupt or encrypted. CryptoWall then displays a screen on your desktop that explains the bad news:
You are given instructions on paying the ransom in bitcoins or other means, and are left with trusting that the attackers will send you the code necessary to unencrypt your documents. If you wait too long, the price goes up or the code is destroyed. Internet reports indicate that the attackers do send the de-encrypt code approximately half the time. If you receive the de-encrypt code, using the same malware that infected your computer and encrypted your files, it de-encrypts them.
It is an interesting trend that the attackers have gone from attacking only businesses to attacking private individuals. Their goal is to force you to pay the ransom to recover your family photos and important documents.
How do you know you have CryptoWall?
When CryptoWall is done with encrypting a directory of documents, it places the above notice in the directory. There are other telltale signs saved in the Windows Registry.
What can you do if you have CryptoWall?
As soon as you know that you have CryptoWall, you should power off immediately to prevent further damage. Although, if you see the ransom banner on your desktop, it is likely too late.
If your data is being held for ransom by CrytpoWall, you have very few choices on how to proceed:
- Wipe and reload your operating system, trying to conserve that data that can be saved, and scan that data for malware. Our technicians are very experienced at this and when we're done, you should notice a remarkable improvement in the speed and reliability of your computer. We'll also put safeguards in place to reduce the likelihood of this happening again.
- Restore your backups. You DO have your documents backed up, don't you? If you do, you'll want to make sure the Ransomware has been thoroughly removed. Let us know if you want help with this.
- GigaParts can offer a Limited Forensic Examination, and this can sometimes recover documents, pictures, and help you determine how you got infected. Even with the state-of-the-art forensic tools available to us, this process usually the chances of recovering even some of your lost files with this method is slim, but may be worth the investment depending on the value of the files you lost.
- Paying the ransom. Beware: there's a significant risk that you would pay the ransom and not receive your files back. In either case, the perpetrators will be rewarded for their bad deeds.
What can you do to protect against CryptoWall?
- We recommend having our technicians install a program called CryptoPrevent that sets policies in Windows to prevent CryptoWall and other malware from getting a foothold. Our technicians can install CryptoPrevent through a remote support session for only $35. CryptoPrevent, plus a good and up-to-date anti-malware package is cheap insurance to make sure you don't lose your valuable files.
- Employ a good and up-to-date anti-malware package that scans your e-mail attachments. If you don't update your antivirus definitions, you run the risk of an attack that is too new for your antivirus to recognize. This is a goal of the attackers. We have several good anti-malware solutions to offer you.
- Backup, backup, backup. You need to have reliable backups, preferably kept in more than one location. Remember, that if you back up your documents to any hard drive that you have network access to, CryptoWall will try to encrypt them there, too. Also, CryptoWall acts first by destroying shadow volume (internal) backups. We recommend redundant and air-gapped (unplugged) or offsite (Cloud) backups.
- Be extremely careful when you open an e-mail attachment. This is the most common means that people get infected, and the attackers have nothing better to do than create an e-mail and attachment that you will bite on. We have seen the attachments disguised as voice mails, faxes, photographs, documents, and other innocent looking things simply by calling it "voicemail.wav.exe". Windows will hide that ".exe" by default, so you think you are opening a voicemail sound file.
- Be extremely careful when you download a file to install on your computer and scan it with your recently updated antivirus before you run it. Many websites that you go to trigger a page that alerts you that you are already infected, or that you need to install such and such to view a video file, or that you should contact a certain phone number immediately. Many of these sites look quite legitimate. The attackers have learned that if you make a believable site, people will click on it. If you are in doubt, don't dial any number or use any link or e-mail in the website, but use a known good phone number, website, or e-mail address to find out if the offer is legitimate.