“What is CryptoWall?” “Where does it come from?” “How do I know if I’m infected and what actions should I take if I am?” “How do I get my files back?” “Are there any cryptowall prevention best practices?”

These are all very common questions we experience when we hear of a client or user getting infected with Cryptowall.

What is Cryptowall?

This strain of “Ransomware” has been infecting computers around the world since approximately November 2014. (Ransomware is a type of computer infection that first appeared in January 2013 that encrypts your files and holds them hostage until you pay the virus creators as sum of bitcoin (usually between $500-1000 USD) at which point they will provide you with a decryption tool to recover your files.)  Cryptowall is now on its 4th version which was first seen in November 2015. Cryptowall 3.0 has successfully extorted over $325 million dollars from infected individuals and companies around the world since its first infections starting in January of 2015.

Once infected with Cryptowall the virus will encrypt files using RSA 2048-bit encryption. Examples of these files are Word Documents (.doc,.docx), Excel Documents (.xls,.xlsx), Picture Files (.jpg, .png, etc..), and other user documents. The virus will infect files that are located on your computer, on a network drive, or on a cloud drive such as Google Drive or One Drive that the infected computer is connected to.

The latest version of Cryptowall 4.0 also encrypts file names of the affected files. Earlier versions of the ransomware would encrypt the file but leave the file name and type of file intact.

Where does Cryptowall come from?

Cryptowall can infect your computer in one of two ways.  Both of these will usually use a .scr file (screensaver extension) to execute a package which contains the Cryptowall virus. It has been noted that the latest version of Cryptowall (4.0) uses a dropper package called “Upatre” which downloads encrypted files from an HTTP site to make it difficult to detect the traffic.

  1. Cryptowall is commonly seen in email attachments.

Sample Email Subjects that contain infected files:

    • INCOMING FAX REPORT: Remote ID: <{3 digits}-{3 digits}-{3 digits}>
    • Fax Message at <yyyy-mm-dd hh:mi:ss EST boundary=”——{23 digits}”
    • UPS Exception Notification, Tracking Number <tracking number>

 These are just SOME of the examples of emails that we believe contain infected Cryptowall infected files.

  1. Cryptowall can be downloaded and infect your computer in what is called a “drive by download” attack. These types of attacks or infections can commonly occur while browsing the web. Typically, you will get a popup that will prompt if you would like to install software on your computer or that your computer has been infected and ask if you’d like to perform a free scan to remove the infection although, this is not always the case. These attacks typically use reverse social engineering to coax the end user into installing the infected software on their computer.

How do I know if I’m infected with Cryptowall and what actions should I take if I am?

Cryptowall will typically inform you if you’ve been infected with their ransomware. Once the user’s computer has been infected, a popup will appear on the desktop which will explain why you cannot access your files, what has happened to your files, and how to pay the ransom to recover your files. Examples of the popup are shown below.

Other indicators of file infection include three files by the names of HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.HTML, HELP_YOUR_FILES.TXT. which will be located in each affected directory. Each of these files will have the same text as the box above which again, explains why you cannot access your files, what has happened to your files, and how to pay the ransom to recover your files. Previous versions of Cryptowall 3.0 and below will name these files HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, and HELP_DECRYPT.URL.

If you have confirmed that your computer is currently infected with Cryptowall, the first thing you should do is verify the integrity of your last backup. (DO NOT, use the infected computer to check the integrity of your latest backup as this could possibly encrypt your backup data).  If you have confirmed that your backup data is present and valid you can continue with removing the virus from your computer, otherwise if there is a possibility you may pay the ransom, do not proceed with the virus removal.

Before removing the virus, you must first obtain a list of all affected files. Cryptowall 4.0 encrypts file names which makes it much harder to know what files have been affected and which files have not. To obtain a list of affected files use the following tool created by Bleeping Computer. http://www.bleepingcomputer.com/download/listcwall/ This application will scan the registry and compile a list of files that Cryptowall has encrypted. Please see the above link for additional information.

To remove the virus, we suggest using virus removal applications such as Rogue Killer, MalwareBytes, Bit Defender, ESET, etc… All of these combined with your computer virus scanning software. Some of these virus scanner applications may need to be run multiple times to verify that the infection has been successfully removed. (Please note, Virus removal applications listed above are to be used at the user’s discretion, Next-Level IT LLC suggests that you should consult with a qualified technician for virus removal and file restore procedures.) 

Once it has been confirmed that the virus infection has been removed from the computer successfully you may begin restoring files to their original file locations. Please refer to the previously generated txt file for a list of affected files to be restored. 

How do I get my files back?

Once it has been confirmed that the virus infection has been removed from the computer successfully you may begin restoring files to their original file locations. Please refer to the previously generated txt file for a list of affected files to be restored.

Other methods of recovery could include volume shadow copies but this is not always a suggested method of backup to rely upon.

If your cloud drive files have become infected, you will need to attempt to restore to a previous version of the file. Instructions for Google and One drive are posted below.

Google Drive – Restore Previous Versionshttps://support.google.com/drive/answer/2409045?hl=en

One Drive for business – Restore Previous Versionshttps://support.office.com/en-us/article/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893

Paying the ransom for your files is an option as well but we highly recommend to only use this as a last resort.

How do I prevent Cryptowall in the future?

As of now, there is currently no guaranteed procedure to block Cryptowall from infecting your computer or a computer on your network. We have compiled a list of proven actions that can be taken to help prevent your systems from becoming infected.

  1. User Education – Inform users they should not open any emails or email attachments from ANY address unless they know specifically who the email is from. They should also be informed to only allow browser software to be installed from known publishers and/or websites.
  2. Virus Protection – Virus protection should be installed on all computers that connect to the internet or use files imported via network, USB thumb drives, or other types of media. There are many free Virus protection applications available to all users.
  3. Spam Filter – A spam filter is a very cost effective way of preventing many virus infections via email. Spam filters are also known to be effective at filtering over 95% of spam messages to users’ inboxes each day.
  4. Web Filter – Web filters have proven to be very effective at filtering viruses before they infect a computer. Web Filters will block traffic to websites that are defined by a policy that is applied to a computer or user.
  5. Block Tor Networks – Use your network firewall to block traffic to known TOR subnets. It is known that Cryptowall communicates on the anonymous network known as TOR with your computer. Blocking traffic to and from these subnets can help prevent dropper packages from downloading the infected Cryptowall virus.
  6. Block .EXE files from running from specific directories – It has been found that Cryptowall executes from local application directories. Creating local and/or group policies (if you have an Active Directory environment) to block .exe files from running in these directories has proven to be effective. See below for a list of directories to prevent executables from running from.

C:Users<User>AppDataLocal<random>.exe (Vista/7/8)
C:Users<User>AppDataLocal<random>.exe (Vista/7/8)
C:Documents and Settings<User>Application Data<random>.exe (XP)
C:Documents and Settings<User>Local Application Data<random>.exe (XP)

  1. Use 3rd party tools to prevent Cryptowall – There are multiple 3rd party applications which claim to prevent Cryptowall from infecting your machine or providing a “vaccine” against Cryptowall. (Note: All software provided in this article should be used at your own risk.)

Regardless of your reason for finding this post we hope that it has helped educate you about this high profile security threat to your data.

Next-Level IT is committed to providing professional, prompt, and cost effective information technology services and solutions to small and medium sized business within CT, MA, and RI. Our expertise covers a broad range of Information Technology and computing services such as network engineering and administration, virtualization and cloud computing, security and risk mitigation, and IT budgeting and planning.