CryptoWall – Ugly Cousin to CryptoLocker

CryptoWall – Ugly Cousin to CryptoLocker

Some of you will remember the recent outbreak in the wild of CryptoLocker; a particularly virulent ransomware program that would take over and encrypt files on servers which essentially held them hostage until payment was made or backups could be restored. The cost of this was monumental in regards to how much time was lost in data recovery and general productivity; not to mention those that caved and payed the criminals for decryption. The network that supported CryptoLocker, the Gameover Zeus Botnet, was taken down thanks to a collaborative effort from international authorities and CryptoLocker faded away fairly quickly.

Unfortunately, a replacement wasn’t far behind.

What’s different about CryptoWall?

Like development cycles on most software, when a product is rushed to fill a gap in the market, it tends to be poorly assembled and lacks some of the functions of its predecessors. This is the case in so far as it isn’t as infectious as CryptoLocker and lacks the same panicked pressure, but this doesn’t mean it should be discounted. Many managed services providers have struggled with cleaning up the aftermath, educating staff and spreading the message of prevention. The attack vector seems to be similar in that a compromised PDF file or an EXE file will be attached to email with some degree of a legitimate appearance; an invoice, accounting file or something along those lines. It has also been modified to inlude audio and video files making it look a bit more like a consumer focused infection. Once executed, the infection attacks network shares and encrypts all of the standard data file types, rendering them unusable. In each compromised directory are 3 files that offer instructions for where to go and how to pay the ransom to have them decrypted. It even is so bold as to open a browser window on the infected machine with the decryption site front and center.

How do we prevent this?

Primarily, exercise extreme caution when opening attachments that come from unfamiliar and unusual sources. Be even more diligent if you work with sensitive, confidential or financial data. If you’re not sure about the source of something, don’t open it and call whoever originated the email to verify. Anti-Virus and Anti-Malware programs may not be equipped to catch this and social exploits are often the low hanging fruit when it comes to compromising networks. If you’re not sure, call your managed services provider and have someone with technical expertise review it.

What do we do if we’re infected by CryptoWall?

CryptoWall File Drop

First and foremost, if you see the following files in any network share, DO NOT open ANY other files in that directory and instruct ALL STAFF to abstain from using the files as well. Failing to do so will further infect your network and can leave you open to continuous compromises. Immediately contact your IT department or your managed services provider.

If your managed services provider has done their job correctly, you will have an effective disaster recovery plan in place that will include a combination of the following; onsite backups, offsite backups and “shadow copies” will be enabled for critical servers. This will allow your MSP to remove the malware, delete the compromised data and restore to the most recent clean copy of all the data that was affected. This can still result in lost productivity as changes post infection/encryption will need to be re-entered. This should just further drive home the point that care must be taken to avoid the infection in the first place.

What if we aren’t sure about our Disaster Recovery Plans?

If you don’t know the depth of your DRP, find out as soon as possible and correct any deficiencies. In the Toronto area, BIT Incorporated can provide free consultation and help you plan to avoid this kind of disaster and put together to correct suite of managed services to protect your business continuity.

Call us any time at 416-646-1690

Need Help?