Cryptowall Ransom Note Image with title

Don’t Underestimate the Cryptowall

January 5, 2015

What Cryptowall is

Cryptowall is one of those things that can make the internet a dangerous place.  It is a type of ransomware; a virus that takes hold of, or ‘kidnaps’, your business or personal files and holds them hostage until you pay a ransom for them.  This evil virus is usually transferred to a host computer through email spam, malicious ads, or compromised websites. Sometimes, one affected computer can cripple an entire network, or an entire company.

The virus was first reported by Symantec in June of 2014, and has become more widely reported in the second half of 2014.

What it Does

The cryptowall ransomware’s goal is to take the user’s files and deny access until a ransom is paid to get them back. However, the virus isn’t limited to just the user’s files; it can take hold of almost any file on that user’s network – including but not limited to, shared company drives and documents, confidential emails, and works-in-progress.

In some cases that we’ve seen, every document for an entire company becomes encrypted. Everything... Gone! The most difficult but most important part, is tracking down the source and making sure the infected computer is cleaned or removed before you try to restore the data, or it will just get re-encrypted. This means that the entire company is sidelined for hours, or days – just because one person got too curious about one of those “you won’t believe what happens next!” links.

Once the virus has grabbed hold, it will encrypt all files on the network. You could be using the computer like normal, but when you try to enter a ‘Documents’, ‘Photos’, or other folder you won’t see any of the files you were looking for. You will only see one: the ransom note – similar to the one shown below. In the worst cases, there aren’t any prior symptoms until this happens to every workstation on the company network.

Cryptowall Ransom Note Large

Solutions

Prevention

The best way to prevent this type of attack is by exercising caution when you are online.  Only go to sites that you know are legitimate and safe.  Of course, this is easier said than done, but always pay careful attention to where you go and what you click.

Use a UTM firewall such as a SonicWall that has gateway antivirus and spyware protection.  SonicWall firewalls also have a content filter service that can help keep you inadvertently going to the wrong sites.  Web proxy services can also keep you from visiting the bad sites.

Another important technique to foil these attacks is to have back-ups offsite or offline.  If the malware infected PC can see your backups, then it will encrypt them too – rendering them useless.  Keeping your backups offsite or offline will prohibit the Cryptowall from reaching them.

Courses of Action

If attacked, the first thing to do is attempt to determine which computer is infected with the virus, and shut it down and remove it from the network immediately.  If you have an IT support provider such as Cii, contact them right away.  We will work with you to isolate which computer is infected after we secure your data. Then we can clean up the PC. Once disinfected, we can restore your data and get you back up and running.

Another important note:  Don’t just pay the ransom.  Doing so just perpetuates the problem.  To make it worse, if you pay the ransom without cleaning your computers, the crooks will just re-encrypt your data and wait for you to pay again- a double whammy!

If you have any issues or concerns with Cryptowall, or any other form of malware, contact us for assistance or consultation.