There are three types of phone calls I don’t ever like to receive:
- My wife calls and says, “Don’t worry, me and the kids are ok! Our car, however…”
- The auto shop calls and informs me, “Mr. Johnson, the estimate we gave you was a tad low…”
- A client calls in a panicked voice and says, “My desktop is giving me a message saying something about CryptoWall, and now suddenly I can’t access any of my company files…”
Sadly, more and more of our friends, family and clients are getting hit with this CryptoWall epidemic. So we here at FRSecure wanted to pull together a post to talk about what it is, what we know about it, as well as steps you can take to avoid it – both at home and in the office.
CryptoWall has been categorized as a virus or malware, but I think it is more appropriately described as ransomware, which is as a type of malicious software designed to block access to a computer system or files until a sum of money is paid. I also like the term malvertising, or the injecting of malicious advertisements into legitimate Web pages.
Scary name. What does it do?
Basically, CryptoWall encrypts files on your hard drives and network drives (such as your “share” drives at work where departments may collaborate on files) with a special key that only the bad guys know. In order to get the key to unlock your files, you need to pay a ransom which is typically in the $300-500 range. To make matters worse, the price tag can go up the longer you delay payment. And if you decide not to pay, your only option to get your files back is to restore from backup copies, which can be costly and time-consuming depending on how much data was affected.
How can I get infected by it?
There are two common methods of infection:
- Clicking a malicious attachment or link, such as those in spam or phishing messages.
- Visiting a Web page with an infected advertisement. In my opinion, this is probably the worst part about CryptoWall. Lets say you’ve listened to your IT team and you do not click on links in email and you only visit major/reputable Web sites. Well unfortunately, you are still at risk for being affected by CryptoWall or other malware. The reason being is that many of these sites partner with ad networks to generate revenue, and unfortunately, sometimes the ad networks themselves get infected in malware. This means that the networks can unknowingly be serving up malicious ads until the problem is detected and remediated. In the meantime, you could come across one of these sites and be infected.
Wait a minute – wouldn’t my antivirus pick up on this?
Yes and no. Lets take a step back and revisit the history of CryptoWall. It is actually a variant of something called CryptoLocker, which was first observed by Dell back in late 2013. As CryptoLocker became widespread, eventually antivirus companies were able to actively detect and clean it. However, if CryptoLocker had already encrypted files, there was still no way to reverse the damage, leaving victims no choice but to pay up. Researchers estimate that the operators of CryptoLocker were able to extort over $3 million from people all over the world. One bit of happy news is that in May of this year, authorities were able to take down the “brains” of the CryptoLocker operation, and build a tool that victims could use to decrypt their files. Unfortunately, miscreants developed CryptoWall to pick up where the original CryptoLocker left off, so it is always evolving and changing. In other words, today you are more likely to get bit by a strand of the CryptoWall malware that currently has no “fix,” so you cannot rely on antivirus alone to protect you.
Well thanks a lot. That’s depressing. So how can I defend myself and my business?
Here are a few tips for keeping CryptoWall at bay:
- Don’t click on stuff! I can’t think of any better way to say it. You need to slow down and scrutinize the links and attachments you get via email. Question the sender, and think about whether or not this was information you were expecting. And if the email promises office gossip about the company president, information on a delayed UPS package (that you didn’t order anyway), a free lunch at Applebee’s, or anything else that is too good to be true – it’s probably a trap. When in doubt, call the sender and ask if they really sent the message to you.
- Keep your computers and devices patched. We covered this in a recent blog post, but the importance of patching cannot be stressed enough. We have seen CryptoWall specifically target out-of-date version of Silverlight, Flash and Java, so make sure your machines are always running the most current versions of those programs if possible.
- Remove administrative rights. Essentially, if you have administrative rights on your PC, it means you can do whatever you want with it – install software, change settings, etc. But it also opens you up for more damage to be done if you get infected with malware such as CryptoLocker. By adjusting this level of access to that of a more “standard” user, malware can often not do as much damage because the system changes it needs to make cannot be performed by the user who is currently logged in. This might be a blog topic we will have to cover in more depth in the future, because it is a serious risk to any organization.
- Have a solid backup/DR plan. If you suddenly lost critical files/folders of company data right this second, could you recover it? How quickly? What would it cost each hour that data was inaccessible to your employees? Make sure you have a solid backup and DR plan that allow you to recover data quickly and easily.
- Train your users. We talk about this over and over again in client meetings and speaking engagements, but it’s true: people are your biggest risk. All it takes is a single click to get bit by CryptoWall, get a huge amount of your company data encrypted, and thus spend large amounts of time and money in recovery efforts. Training your users to spot bad links and attachments ahead of time is your best defense.
As you can see, getting hooked by CryptoWall is the equivalent of getting a big piece of coal in your stocking. But with sufficient user training and solid technical safeguards in place, you should be able to keep it from ruining your holiday season. If you have questions about CryptoWall, I would welcome the chance to talk with you. I can be reached at 952-467-6385 or at [email protected].