Technology Blog »

What is CryptoWall?

Shell Shock Virus Consultation

CryptoWall - The Next Security Threat

Over the last 18 months we have seen a number of highly publicized security threats that many companies and consumers struggled to deal with. One of these threats was some nasty Malware called Cryptolocker, which holds your files for ransom. While this has now largely been dealt with, news is surfacing of a second version - called CryptoWall - that has begun to infect users.

What is Crypto malware and how do I get it?

The Trojan is mainly distributed through spam campaigns, compromised websites, malicious ads, or other malware.

It is very important to understand the class of malware that CryptoLocker and CryptoWall belong to.  Crypto malware is a type of trojan horse that when installed onto computers or devices, holds the data and system hostage. This is done by locking valuable or important files with a strong encryption. You then see a pop-up open informing you that you have a set amount of time to pay for a key which will unlock the encryption. If you don't pay before the deadline, your files are deleted.

When this malware surfaced last year, many users were understandably more than a little worried and took strong precautions to ensure they did not get infected. Despite these efforts, it really didn't go away until earlier this year, when security experts introduced a number of online portals that can un-encrypt files affected by CryptoLocker, essentially neutralizing the threat, until now that is. A recently updated version is threatening users once again.

Cryptolocker 2.0, aka. CryptoWall

Possibly because of efforts by security firms to neutralize the CryptoLocker threat, the various developers of the malware have come back with an improved version, CryptoWall and it is a threat that all businesses should be aware of.

With CryptoWall, the transmission and infection methods remain the same as they did with the first version: It is most commonly found in zipped folders and PDF files sent over email. Most emails with the malware are disguised as invoices, bills, complaints, and other business messages that we are likely to open. The Trojan may also be distributed through exploit kits hosted on compromised websites or malicious ads. 

The developers did however make some "improvements" to the malware that make it more difficult to deal with for most users. These changes include:

  • Unique IDs are used for payment: These are addresses used to verify that the payment is unique and from one person only. If the address is used by another user, payment will now be rejected. This is different from the first version where one person who paid could share the unlock code with other infected users.
  • CryptoWall can securely delete files: In the older version of this threat, files were deleted if the ransom wasn't paid, but they could be recovered easily. In the new version the encryption has increased security which ensures the file is deleted. This leaves you with either the option of paying the ransom or retrieving the file from a backup.
  • Payment servers can't be blocked: With CryptoLocker, when authorities and security experts found the addresses of the servers that accepted payments they were able to add these to blacklists, thus ensuring no traffic would come from, or go to, these servers again. Essentially, this made it impossible for the malware to actually work. Now, it has been found that the developers are using their own servers and gateways which essentially makes them much, much more difficult to find and ban.

How do I prevent my systems and devices from being infected?

CryptoWall doesn't go after passwords or account names so far that we know, so the usual changing of your passwords won't really help.
The best ways to prevent this from getting onto your systems is to stop it before it enters your network

Since the most common way for this virus to get into your systems is through the user unintentionally letting it in mostly through attachments in email it is crucial that companies have and  Implement a managed email security policy with products such as our SpamControl which is a managed email security platform which acts as one of the most important layers of security that you can implement.

  • Don't open any suspicious attachments - Look at each and every email attachment that comes into your inbox. If you spot anything that looks odd, such as say a spelling mistake in the name, or a long string of characters together, then it is best to avoid opening it.
  • Don't open emails from unknown sources - Be extra careful about emails from unknown sources, especially ones that say they provide business oriented information e.g., bank statements from banks you don't have an account with or bills from a utilities company you don't use. Chances are high that they contain some form of malware.
  • Install a Firewall that has an active Intrusion Prevention System and can actively scan data as it enters the network.
  • Use a Managed IT Services IT Company to manage your desktop security.  As an example clients of DCS will often have a web security package enabled which will keep users from getting to websites that are infected with CryptoWall.

Should your files be attacked and encrypted by this malware, then the first thing you should do is to contact us. We can work with you to help find a solution that will not end up in you having to pay the ransom to recover your files.

If you want to learn more about CryptoWall malware and how to boost your security and protect your data and systems, then contact one of our representatives and we can speak about how we could be your best line of defense.