It looks like this new strain of file-encrypting ransomware called CryptoWall (and a variant CryptoDefense) is picking up where CryptoLocker left off. On the heels of the botnet takedown, which stopped the spread of CryptoLocker (after infecting over 250,000 computers), the Center of Internet Security (CIS) has reported an increase of new CryptoWall malware infections, which are targeted at Windows systems running Windows 8, 7, XP and Vista. Much like its predecessor, this malware takes over your system restricting access to your files and folders until you pay a ransom.
Unlike the $300 ransom of CryptoLocker, victims of CryptoWall are given a deadline to pay a $500 (or in some cases $600) ransom or it doubles to $1,000. We’ve also seen the decryption price reportedly increase by 3 times. If victims don’t pay up before the new due date (shown with a count-down timer), victims lose their files for good. Once the key to decrypt their files is deleted, those files are rendered useless.
How CryptoWall Spreads
This strain of ransomware, is distributed through a variety of sources including phishing emails, fake application updates and malicious ads on legitimate sites.
The virus is spread by getting users to click on a link within an email that is disguised as a fax or voicemail notification or UPS shipment tracking notice. These emails often include a Dropbox link, a link to a .zip file or a shipment tracking link with varying subject lines such as “Incoming Fax Report…” or “Voice message from …” or “UPS Exception Notification” for example. Be on the lookout for these types of emails and immediately delete them from your system. Don’t think that just because the link is to a Dropbox or from someone you know, that you are safe. Dropbox is a popular file sharing software that many of us use (me included), but you need to be careful to not click on these links. It is known that Cyber criminals are using Dropbox as their primary means of distributing the CryptoWall malware via email.
CryptoWall has been reported to use malicious ads on legitimate, well-known sites, such as Wiki.answers.com, apps.facebook.com, ebay.in, altervista.com and theguardian.com to name a few. Because ad networks like to track where their clicks are coming from, Cisco has been able to pinpoint many high-profile sites that have inadvertently hosted malicious ads. These ads redirect unsuspecting users to malicious websites with the intent on infecting the user’s computer.
Once infected, an exploit kit called a RIG (first reported by Kahu Secuity) is inserted onto the victims computer. The kit checks for unpatched versions of Java, Flash, IE or Silverlight multimedia. If systems are unpatched, the system is immediately exploited, and requests are made to download CryptoWall. It has been reported to take up to 24 hours for the CryptoWall virus to download and install onto your system once you have been infected, so you may have a small window of opportunity once infected.
How CryptoWall Works
CryptoWall malware encrypts your local files, and demands you to pay a ransom to recover your files using a unique private decryption key housed on the Cyber criminal’s servers. At the time of our research, there were no known tools or solution to recover files encrypted with RSA-2048 encryption, without paying the ransom for the decryption key (stored on the CryptoWall Command-and-Control servers).
Once your files have been encrypted, you will receive a link to a TOR site (a browser that allows online anonymity). Cyber criminals use TOR sites to keep their identities hidden. You will be taken to a page that requires you to enter a CAPTCHA (where you are asked to type the letters of a distorted image) before presenting you with the ransom information.
The ransom amount can vary (we have seen $500-$600), but if not paid by a specified time, it will double or even triple.
Victims of CryptoWall are given the option to “Decrypt 1 file for FREE,” which may be their way of showing you that they do have the ability to deliver on their so-called promise to decrypt your files.
You are asked to purchase a special software called a CryptoWall Decrypter, using bitcoin, which is supposed to allow you to decrypt your files.
If the ransom is not paid, you can kiss your files goodbye. That being said, paying the ransom does not guarantee the restoration of your files, and by paying them, you are in essence supporting Cyber criminals. The fact that people are paying, further cements their belief that this type of business model works. It’s just something to think about. In my humble opinion, it’s better to be proactive than reactive on this one.
Recommendations to Prevent CryptoWall Infection
1. Block Traffic from Known Fraudulent IP Addresses
It has been reported that there is a range of IP addresses that are owned and operated by criminal groups that contain a higher number of ransomware domains hosted on it. As a result, the Multi-State Sharing & Analysis Center (MS-ISAC) recommends the following:
Block traffic to/from IP address: 188.8.131.52/23 at your network perimeter.
2. Click with Care
Since we know that CryptoWall is spread through malicious ads, presented on well-known and reputable sites, be careful what you click on. Most advertisers are legitimate, but unfortunately there are users who are abusing the system, using it as a means to lead users to malicious sites for the purpose of hijacking their files for ransom. For that reason, practice common sense and don’t click on ads you are uncertain about.
3. Use Anti-Virus and Anti-Malware Software
A word of advice, not all anti-virus software will protect you from malware. You may also need anti-malware software. Check with your provider to see if they are staying on top of the new strains of Crypto malware. Also, make sure your software definitions stay up to date, so as to ensure that you are protected against any new threats that pop up.
4. Keep Regular Backups of Your Data
The ideal situation is to be proactive here. Plan ahead and keep regular backups of your data. That way, should you become a victim of CryptoWall, you can just remove the ransomware virus from your system and restore your files from your backup. NovaStor offers an affordable PC backup software solution that will allow you to set up automatic backups of your files, and create disaster recovery image backups.
5. Don’t Click on Suspicious Emails
If you receive any suspicious email, check the sender of the email to verify the legitimacy of the email and don’t click on the link if you are uncertain. Specifically, stay away from emails that are disguised as faxes, voicemails, or even UPS (especially if you are not waiting for a shipment), as these are known sources for spreading CryptoWall malware.
6. Keep Patches Updated
Since it is a known fact that RIG exploit kits are targeting unpatched versions of Flash, Java and Silverlight multimedia, by all-means, keep these patches up to date.