CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. In fact, according to the 2018 Verizon Data Breach Investigation Report, ransomware incidents now make up about 40% of all reported malware incidents! Some reports say CryptoWall 3.0 has caused over 325 million dollars in damages since it first came on the scene.
CryptoWall first appeared in the wild around 2014: since then, cybercriminals have updated and iterated on it several times to make it even harder to detect and remove.
Get the Free Pen Testing Active Directory Environments EBook
The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back. (Tl;dr: Don’t.) It’s important to maintain constant vigilance to protect data from the CryptoWall virus and all its variants – along with all types of cyberattacks.
What is CryptoWall?
CryptoWall is a particularly nasty form of ransomware. It does much more than just encrypt your files and prompt you to pay for the key: it tries to hide inside the OS and adds itself to the Startup folder. Worse still, CryptoWall deletes volume shadow copies of your files – making it difficult (or in some cases impossible) to restore your data. And while it’s there, it’ll try to get your passwords and Bitcoin wallets for good measure.
CryptoWall 3.0 is by far the most lucrative version so far. It uses strong RSA-2048 encryption to lock your files and try to get you to pay the ransom.
CryptoWall v4 introduced a new feature to encrypt both the files and the filenames, meaning that you can’t simply look at the filename to check (and restore) if you have a backup. The ransom notes got a lot sassier as well, just to pour salt on the wound of your encrypted data.
CryptoWall v5.1 is the latest version based on the HiddenTear malware. It uses a different AES-256 encryption, which doesn’t follow with the previous versions. It’s possible that the developers used the CryptoWall name, but not any of the original code.
There are several variants of CryptoWall: CryptoDefense is one of those variants, for example. For the most part, you can treat them similarly.
How CryptoWall Works
There are several different methods to spread CyptoWall and infect devices:
- Phishing Email: CryptoWall is most often triggered by the end user via a phishing email. Phishing emails try to trick users into clicking a link which downloads malware onto their computer.
- Exploit Kits: The next most common attack vector is as part of an exploit kit, which take advantage of security vulnerabilities to deploy malware needed to execute the attack. Known vulnerabilities can be in the operating system, in applications you use, or in websites you visit, like WordPress.
NOTE: Code injection is a common hacking technique, and it does not always have to take advantage of a bug or be malicious.
Once it’s on your computer, CryptoWall injects new code into explorer.exe (based on the version of Windows installed) and restarts explorer.exe. This special version of explorer.exe installs malware, deletes the volume shadow copies, disables windows services, and spawns a new svchost.exe process with more injected modules.
If, for some reason, it fails to inject code into explorer.exe, CryptoWall will use svchost.exe to spawn a new explorer.exe it can inject the code into. This instance of svchost.exe is also responsible for network communication to home base, file encryption, and removing the malware once it’s finished.
CryptoWall installs itself into the registry and your startup folder: restarting won’t clear things up – if you don’t remove all of the CryptoWall software while you are in Safe Mode, it will start right back up when you log in again.
CryptoWall needs to communicate with a Command and Control server(C&C) to continue the ransomware attack. The C&C sends CryptoWall the encryption key that it will use to encrypt your files. CryptoWall then runs through all of your files, both locally and on any connected networks, and encrypts your most personal data, for example, your documents, presentations, code, music files, and pictures, music files, and pictures.
The encryption locks the contents of your files, and the only way to get them back is with the encryption key.
What CryptoWall Tells You to do
Once the encryption is complete, you’ll get a ransom note with instructions on how to make payment: often about $1000 worth of Bitcoin. After the ransom note is issued, the malware deletes itself.
The attackers might offer to decrypt a file or two for free to demonstrate good faith: don’t fall for it. There is no guarantee that you will get your files back: only 19% of users that pay the ransom get their files back.
How to Protect Against CryptoWall?
It’s unlikely that you’ll get your files back: in this case (and most ransomware cases), prevention is better than a cure.
Tips to prevent (or disarm) potential ransomware attacks:
- Keep your computer patched and up to date
- Malware uses known vulnerabilities in software to move to new computers. If you leave those vulnerabilities unpatched, you’re effectively leaving an open door for the cybercriminals to enter. If you keep the OS and all of your applications patched to the latest releases, you stand a better chance of avoiding malware infections.
- Use an anti-virus scanner
- Anti-virus solutions, when updated regularly, can protect you from several kinds of malware attacks. They quarantine known malware programs and prevent them from executing
- Use a firewall
- A local firewall can protect you from some connections that malware uses, like to the Command and Control server. The CryptoWall ransomware, in particular, depends on a connection to home base to continue the attack. A local firewall may be able to prevent the malware from making that connection and killing the attack.
- Don’t click the links
- Don’t click links or download files from suspicious emails. If you click a malicious link or download a malicious file, you’re inviting the cybercriminal and their malware into your home.
- Practice safe browsing habits
- Back up your files
- Always keep a backup copy of your files. It works for a hard drive failure or for ransomware. There are plenty of online cloud storage options of varying security levels and cost. You can also setup a local SAN or USB hard drive to back up your important files.
If CryptoWall slips past your defenses and infects your computer, remove CryptoWall before you use your computer again:
- Boot your computer into Safe Mode with Networking
- If you have a recent and clean System Restore point, you can restore, if not:
- Download and install a malware removal application.
- Run malware removal app and scan all of your files
If you’re planning an enterprise-wide security strategy to protect against ransomware attacks, there are a few other items to consider on top of the end user items above.
Maintain a least privilege model: When you maintain a least privilege model, users only have access to the files absolutely necessary to do their job – and if hit by CryptoWall, the ransomware can only encrypt those files. By enforcing a least privilege model, you’re limiting the scope of the ransomware attack by a lot. And with a good backup plan, it’s a simple recovery process.
Leverage security analytics to protect your files from ransomware: Varonis monitors your enterprise data stores, mailboxes, proxies, DNS, and VPNs – with threat models specifically designed to catch ransomware attacks in progress.
A ransomware attack can be devastating to an organization: lost productivity, potentially leaked, stolen, or lost data, recovery fees and resources, and more. Get a custom demo to see how we can protect your valuable data and help stop CryptoWall infections.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.