The latest iteration of the CryptoWall ransomware is more effective than ever at extorting money from its victims. How can you protect your firm from the threat?
News sources have reported the release and proliferation of CryptoWall 4.0. This follows the release of CryptoWall 3.0, itself an update of the original – and now largely defunct – CryptoLocker ransomware. This blog post explains what CryptoWall is, how it works, and what steps you can take to protect yourself from attack.
What Is CryptoWall 4.0?
CryptoWall 4.0 is in essence very similar to the CryptoLocker malware that was first discovered in late-2013. It is a Trojan horse – a type of malware that pretends to carry out a routine action in order to install a malware payload on a machine – and it tends to spread via email attachments and compromised websites.
CryptoWall’s primary aim is to extort money from businesses and individuals who are infected by the ransomware. It achieves this by encrypting files that are saved locally and on shared drives connected to affected machines. Once files have been encrypted, the user is notified and asked to pay money in Bitcoins (an online value and payment method) in order to obtain a key that will unencrypt the files.
Infected users are typically put under time pressure. For example, after three days the cost of obtaining the encryption key may increase, and then after seven days the decryption key will be permanently deleted, rendering the encrypted files unsalvageable.
How Does CryptoWall 4.0 Work?
There are two primary methods through which CryptoWall infects machines. The first is via email attachment or link, and the second is through a user suffering from a ‘drive-by’ infection through visiting a compromised website. Whatever way it infects a machine, a payload is delivered which installs itself in the user profile folder. This then connects with a central command and control server, which creates a 2048-bit RSA key that is used by the payload to encrypt all files with certain file extensions.
The user then receives a message notifying them that their files have been encrypted, and demanding payment in order to receive a program that is pre-loaded with the decryption key.
CryptoWall 4.0 possesses a greater threat than previous iterations. It features improved communication abilities, lower detection rates thanks to modified protocols, and additional symptoms such as filename changes (making it harder to tell just what has been infected).
How Can You Protect Your Firm?
Let’s look at the worst case scenario first. If you do get infected, best practice advice is increasingly leaning towards paying the ransom. Traditionally backups to a time before the infection have been effective. However, the new CryptoWall payloads include methods such as turning off and deleting volume shadow copies and delaying notification of the infection in order to exceed retention rates.
Either way, the infected machine should be disconnected from the network, powered off, and then rebuilt.
Of course, it’s better to prevent a CryptoWall attack in the first place than have to deal with the consequences of an infection. We recommend taking the following six steps, keeping in mind that user education is absolutely key: –
- Make sure that you take regular backups, and that you have tested that they can be restored;
- Ensure that your antivirus is real-time updated and that active scanning is on;
- Keep all software up-to-date, including Java, Adobe Flash Player, Adobe PDF and so on;
- Never click on links or open attachments in emails that you are not absolutely sure of;
- Don’t visit questionable websites, and take care when downloading files and applications;
- Ensure that user access rights are setup appropriately; not everyone has access to every file.
The following measures may be worth considering, but bear in mind that they may not always be practical for your firm: –
- Restrict permissions to read-only;
- Store documents in a database, for example a document management system;
- Do not use Adobe Flash Player if you can avoid it – Flash is frequently exploited by cybercriminals in order to deliver malware payloads;
- Implement ad-blocking and anti-spam filters;
- Enable software restrictions through group policies.
CryptoWall 4.0, along with its previous iterations, has proven a highly effective tool through which cybercriminals have been able to extort money from businesses and individuals. Unfortunately, it is nearly impossible to completely mitigate the risk of infection. However, steps can be taken to reduce the risk. At Capital Support we have implemented a number of measures that help to protect us from CryptoWall 4.0 and other malware attacks: –
- We have strengthened our perimeter by adding a next generation firewall layer;
- All emails are scanned for spear-phishing and targeted threats;
- We take regular backup snapshots, reducing the amount of data lost in the event of an infection;
- We educate all our staff about email phishing and safe Internet practices;
- We have a 24-7 security operations centre monitoring our network.
To learn more about how you can reduce the risk of suffering from a ransomware attack, or what to do if you do get infected, feel free to contact us.