Viruses infecting computers are as common as ants invading the picnic table — sooner or later, it's just going to happen. The reality surrounding malware is that it's here to stay. The more that the Internet of Things (IoT) permeates our daily consciousness, granting smart features to everyday items, the greater the influx of malware will be.
Such a target-rich environment is precisely what a majority of malware thrives in. The more targets, the greater the chance of a pay off (or destruction) — whatever the motivation behind the malware, more is viewed as better than less.
This is why viruses like CryptoWall (and its predecessor, the now defunct CryptoLocker) are poised to strike consumers and enterprises equally very hard. With the internet as its distribution point, any and all Windows desktops that are not thoroughly protected will likely feel the pain of CryptoWall's payload through either direct or indirect infection.
Below are some common questions I've received when speaking to victims of the infection and how to best explain what this virus is, what the virus does, and how to best protect your systems against it.
What is CryptoWall?
CryptoWall is classified as a Trojan horse, which is known for masking its viral payload through the guise of a seemingly non-threatening application or file. Its payload involves encrypting the files of infected computers in an effort to extract money for the decryption key.
CryptoWall and viruses similar to it are also known as "ransomware" in that the infection offers the end user a means with which to remove the threat and recover all their files in exchange for paying a ransom. After they pay, the user is allowed to download and run a file and/or application to cleanup the infection or, in this case, decrypt the encrypted files to return them back to a working state.
Where does it come from?
Geographically speaking, that is unknown as of this writing. What is known regarding origins of infection is that CryptoWall is most typically spread through email as an attachment and from infected websites that pass on the virus — also known as a drive-by download.
Additionally, CryptoWall has been linked to some ad sites that serve up advertising for many common websites users visit on a daily basis, further spreading its distribution.
How does it infect a computer?
The infection process, as stated previously, is pretty standard for a virus. However, once it gets a hold of the host computer, it begins by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS.
Next, the remote server will generate a random 2048-bit RSA key pair that's associated with your computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions. As a copy is created, it's encrypted using the public key, and the original file is deleted from the hard drive.
This process will continue until all the files matching the supported file types have been copied and encrypted. This includes files that are located on other drives, such as external drives and network shares — basically, any drive that's assigned a drive letter will be added to the list. Also, cloud-based storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud as the files are changed.
Finally, once the encryption process has completed, CryptoWall will execute some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the virus stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.
Will I know if my computer is infected?
There are two telltale signs that indicate CryptoWall has compromised a host computer.
- When attempting to open certain files, such as .doc, .xls or .pdf, for example, the files are launched with the correct program; however, data may be garbled or not properly displayed. Additionally, an error message may be accompanied when trying to open infected files.
- The most common indication will be the appearance of three files at the root of every directory that contains files that were encrypted by CryptoWall.
Clicking on any of these files left behind in the wake of CryptoWall's infection will lead the end user to step-by-step instructions necessary to carry out the ransom payment.
The HTML file will actually have a caption indicating the amount of time left on the ransom and how much money is being requested as payment. Typically, the ransom amount begins at $500 (USD), and the countdown timer provides for a period of three days in which to get payment to the requestor.
After the timer has reached zero, the caption will change. The new amount requested will double to $1,000 (USD) and the timer will provide a cutoff date and time. Usually, the timeframe is about one week, and it will indicate that if payment is not received before the cutoff time, the remote server housing the private key and decryption application to decrypt your files will be automatically deleted, making your files unrecoverable.
What are my options if my computer is infected with CryptoWall?
After having confirmed infection with CryptoWall, the next step for the end user is to decide if they are willing to pay the ransom to get their data back, or if they're not going to pay and lose access to their data altogether.
If deciding to pay the ransom, continue reading. If deciding not to pay the ransom, jump down to the next section for some helpful steps to take that may or may not allow you to recover your files.
Paying the ransom is an exercise in and of itself. Unfortunately, the ransom amount must be paid in Bitcoin, a digital currency that's used to purchase goods and services, similar to US currency. However, due to its lack of regulation and general lack of acceptance, Bitcoin is a niche market and not as common as US currency.
Adding to the difficulty of procurement is that many exchanges that accept US currency for Bitcoins have limited purchases of larger Bitcoin amounts. There are also strengthened company policies that further restrict the accumulation of the necessary amount of Bitcoins to pay off the ransom. Many of these changes have come about as a direct result of the CryptoWall virus, with some exchanges known to cancel transactions and restrict accounts suspected of using their services to pay off the ransom.
Though difficult, it's still possible to open an account at an exchange to begin funding the purchase of Bitcoins in order to pay the ransom in the time allotted. If neither time nor technology is on your side, another viable option is seeking out the services of an IT consultant with experience in this matter. They may be able to assist you in the overall recovery process of your data and may even be able to do so without incurring any penalty due to non-payment within the specified time frame.
I've decided not to pay the ransom. Can my files be recovered another way?
Deciding not to pay is a fair argument, especially if the amount being requested is worth more than value of the data. Perhaps out of principle, you feel you shouldn't have to pay. Regardless of the reasons, there are a few things end users can do to see if their files are recoverable without paying. Just please do realize that this is a big IF, and most cases will result with loss of data for non-payment, while those who do pay within the time frame will be able to recover their data through the use of the provided private key and decrypter application.
With that disclaimer in place, the most effective method to recover your files is by using a backup. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files. If they are indeed on there and not infected, then you simply clean the infected computer of CryptoWall, and you'll be able to reconnect the drive to restore your data.
If a cloud-based backup exists, depending on the service provider, you may be able to sanitize the computer before restoring your files from the cloud. However, as stated previously, some cloud services store a local copy of the data on the host — like Dropbox, for example. In these cases, most of the cloud services offer file versioning as a form of added protection against file modifications made in error. By using this feature after sanitizing the computer, you should be able to rollback a file change to date/time prior to the infection.
If no backup — local or cloud-based — are available, then the only chance at file recovery will lay in the VSS, restore previous file versions, or system restore. Since much of the CryptoWall virus is automated, there are times when a command can't execute due to a system resource issue or hanging app. Though rare, in these cases, recovery may be possible by initiating a system restore to a time/date prior to the infection occurring. Note, this is the exception, not the rule on average — but each situation should be handled on a case-by-case basis.
Also, you might try using Shadow Explorer to attempt to restore a file or two first to test out if this method works for you. If it does, remember to clean the computer first to get rid of any/all infections before trying to restore all your data. If the system is not cleaned, it will only try to encrypt the files again — and this time, it may succeed in stopping VSS and clearing the cache.
Are there steps I can take to protect my computers?
Yes, there are. There are several steps that should be taken at all times, regardless of what the infection risk may be. You should have an active antivirus application installed with the latest virus definition files. You should also have a malware scanner, preferably with active scanning capabilities and updated with the latest definition files.
With your computer(s) protected, we move on to one of the biggest issues: Backup or — in some instances — lack thereof. A proper backup system with preferably a local and cloud-based backup schedule will go above and beyond to protect your data. Even when the system itself is compromised, you can count on being able to restore your data, as needed.
Other considerations for protection include safe internet practices. Don't visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites!
Lastly, consider enabling software restriction policies if you're a system administrator on an enterprise network or using a freely available application such as CryptoPrevent to block many of the avenues to which CryptoWall uses to gain a foothold on your computer.
Viruses, regardless of whether they're attacking your files or stealing your banking credentials, are nuisances. As a society, will need to continue to contend with them as digital divides slowly shrink and our connected lives stretch further out.
While there may be little recourse once infected, there's a lot in the realm of possibilities that can be done to limit our exposure to infection and subsequent loss of data. You just needs to be proactive enough to ensure that these fail-safes are in place and check on them from time to time.
As the old adage goes, "An ounce of prevention is worth a pound of cure" - Ben Franklin
Has the CryptoWall virus infected any of the computer in your organization? What security policies do you have in place to prevent it from happening? Share your experience in the discussion thread below.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 15 years of experience and multiple certifications from several vendors, including Apple and CompTIA.