One of the most problematic viral infections we here at Turbo Technicians have dealt with lately is the CryptoWall Ransom Virus. CryptoWall is what is referred to as a ransomware virus, ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.cryptowall Some forms of ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying. CryptoWall is the most malicious type of ransomware as it encrypts (locks) the user’s files into a state that renders them unusable by the client until the ransom is paid. Once a user’s files are locked the only means of recourse is to pay the “ransom”, which is not a guaranteed process, or revert to a backup. Inoculation if the infection is quite easy using Malwarebytes Anti-Malware, however removal of the infection does not decrypt your data. Although the situation is dire, there are several approaches to resolving this issue.

Paying the ransom

When we have encountered machines that are infected with the CryptoWall, the client is often so threatened by the concept of not being able to use their files they often are willing to pay the ransom, regardless of price. While the urge to pay the ransom and get back to work may be overwhelming, there are several key factors to consider. One of the most glaring issues with paying the ransom is the crux that plagues any “black market” dealings; there is no honor among thieves; someone dishonest enough to devise a virus to steal your data is probably not going to have a vested interest in serving victims in a timely fashion, or even at all. In the documented instances in which a victim has paid the extortion, there has been a 50/50 yield on decryption, meaning a user may pay the extortion only to hear nothing in return. To add to the uncertainty of the situation, the method of payment most commonly used by these extortionists is BitCoin, a “crypto currency” (digital-only money) that operates fully anonymously. BitCoin adds further complexity to the situation because it cannot be easily tracked by authorities, and is not commonly used by the average person. BitCoin also has a daily-fluctuating value that can make it very difficult to approximate how many coins are needed to appease the extortionists; a CryptoWall infection may demand 1 BTC (roughly $300) on the first day, and due to changes in the rate in BitCoin, 2.5 BTC (roughly $900) the next, making it nearly impossible to buy the exact amount needed to fulfill the ransom. Due to these complications, Turbo Technicians has firmly taken the stance to refuse payment to any extortionists, from both a moral and a logistical standpoint. In our experience the only way to get an assured solution is to revert to a backup, underscoring the importance of a comprehensive backup solution.

Restoring from a backup

Independent of virus concerns entirely, a proper backup solution is tantamount. CryptoWall works by moving sequentially from file-to-file, encrypting each file as it progresses. Due to the nature of how CryptoWall works, it can easily encrypt files located on an external hard drive or cloud-based backup, rendering backups in the same unusable state as the files located locally on the machine. Thankfully, the CryptoWall is only able to encrypt files that it is explicitly given instructions to backup; a file ending in .jpg (common picture file format) may be encrypted, but a .rar (common zipped folder extension) located in the same directory may not be affected. This process ultimately winds up being the Achilles heel of this infection, as it does not seem to be aware of many popular backup formats including the .bkf format used by Symantec Backup Exec.  Outside of hoping that your backup software’s output format is one that CryptoWall cannot interpret, an external hard drive that is detached as soon as it is done backing up is the only sure fire measure to recover from such an infection.

Preventing CryptoWall

While the effects of CryptoWall can be ravaging, prevention of this infection is relatively easy. As always, safe internet practices are your best protection measure; don’t visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites! Aside from preventative habits, several dedicated software solutions have sprung up in the wake of these attacks, including CryptoPrevent and Hitman Pro Alert. While these utilities do an effective job of preventing such attacks, it does stray from the approach of having a single, all-inclusive, anti-virus solution; adding complexity by having more components to manage. A more simplistic solution would be a comprehensive exploit blocker, such as Malwarebytes Anti-Exploit. By having a single solution that blocks all forms of “zero-day” (brand new) malware exploits, not only will the end-user have less to look after, the user is protected against other attacks that may emerge even after the CryptoWall has come to pass.

Contact Us!

Turbo Technicians can help prevent or resolve a ‘ransomware’ attack (such as CryptoWall, CryptoLocker) via our excellent software and service selections, or even to advise you company on its best course of action.