What exactly is CryptoWall ransomware?

CryptoWall is a file-encrypting ransomware application launched around the end of April 2014 that targets every versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. The mass media is normally confusing CryptoWall with the CryptoLocker virus, when it is far more comparable to the CryptoDefense ransomware. The most obvious similarity being that CryptoWall’s Decryption Service is practically identical to the one for CryptoDefense. In the second week of October 2014, the malicious software programmers launched a brand new version of CryptoWall referred to as CryptoWall 2 .0. This latest variation integrates a few extra modifications.

When you are initially affected with CryptoWall it is going to scan your system for documents and “encrypt” them utilizing RSA encryption so these files will no longer be able to open. As soon as the virus has encrypted the documents on your personal computer drives it will launch a Notepad window and an Internet Explorer page, which contains directions on how exactly to access the CryptoWall Decryption Service where you can pay a ransom to buy a decryption package. The ransom price begins at $500 USD and after 7days increases to $1 ,000. This ransom has to be paid out in Bitcoins and sent out to a Bitcoin address that is created per affected user.

This new version of CryptoWall is an enormous danger for computer users and network staff because it will encrypt all of the local data and documents situated on network shares. CryptoWall 2 .0 currently contains modifications which make it far better for the malware creator and many times tougher for a victim to recover their documents free of charge. These modifications consist of distinctive wallet IDs to send ransom payments, safe removal of original unencrypted computer files, as well as the usage of their unique TOR gateway.

CryptoWall is spread through email messages with ZIP attachments consisting of executables that are concealed as PDF files. These PDF documents simulate to be invoices, purchase orders, bills, or any other business communications. After you double-click on the bogus PDF, it is going to contaminate your PC with the CryptoWall infection and deploy malware data files either in the %AppData% or %Temp% folders. Once infected with the virus, the installer will begin to examine your computer’s hard drives for files that it is going to encrypt. While the contamination is looking through your computer it will skim through all drive letters consisting of removable drives, network shares, or even DropBox mappings. To sum up, when there is a disk drive letter on your desktop it will be scanned for documents by CryptoWall.

What do you have to do if you find out your system is contaminated with CryptoWall

Should you realize that your PC is affected with CryptoWall you have to rapidly scan your system with an anti-virus or anti-malware software. Sadly, most of the people usually do not realize CryptoWall is on their computer system until it shows the ransom note and your documents have already been encrypted. The scans, however, will at least, identify and also get rid of any other virus that may have been set up in addition to CryptoWall.

Can you decrypt documents infected by CryptoWall?

Unfortunately at this time, there is NOT any solution to retrieve the private key which you can use to decrypt your data files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not reasonable as a result of the amount of time needed to break an RSA encryption key. Additionally any specific decryption resources and software that have been launched by numerous organizations is useless with this virus. The only possibilities you have of recovering the documents are from a backup, file recovery tools, or if your fortunate from Shadow Volume Copies.

Network Shares on infected computers

CryptoWall will encrypt computer data on network shares but only when that network share is mapped as a drive letter on the contaminated computer. In case it is not mapped as a drive letter, then the virus will not encrypt any data on that network share.

It is highly recommended that you protect all available shares by only permitting writable accessibility to the ony the essential user groups or authenticated individuals. This really is a crucial safety standard that needs to be always in place no matter if you have a virus like CryptoWall or not.

Additional information

An adjustment which will benefit affected people who want to pay the ransom are the addition of exclusive bitcoin transaction addresses for every single victim. The first version of CryptoWall could not generate an exclusive bitcoin transaction internet address for every victim. This made it easy for individuals to take other victim’s payment activities and utilize them toward their ransom. With unique payment addresses for everyone, this is no longer achievable.

An additional modification is that CryptoWall will now securely erase the original documents. Initially, CryptoWall would encrypt the computer data and then just erase the original. It would then be possible for you to utilize computer data recovery programs to attempt to restore your information. Now that CryptoWall is securely eliminating your data, this technique will no longer do the job, therefore, you will have to restore from backups or pay out the ransom.

The last refinement is that CryptoWall 2 .0 utilizes unique TOR network gateways. CryptoWall’s ransom payment servers are situated on these TOR computers which permits the virus designers to remain invisible from the respective authorities. To be able to get connected to the server you need access to the TOR network and for the majority of individuals, the installation of TOR is a complicated and challenging procedure. To resolve this, CryptoWall used a Web-to-TOR gateway which would permit affected people to quite easily access the transaction server. When the Web-to-TOR gateway companies realized that CryptoWall was employing their gateways, they began to blacklist those payment servers in order to make them inaccessible. Now that CryptoWall 2 .0 utilizes a unique TOR server they don’t need to bother about getting blacklisted. The existing Web-to-TOR gateways controlled by the CryptoWall designers are tor4pay .com , pay2tor .com , tor2pay .com , and pay4tor .com .

We are still evaluating this most recent variation and as more details are available we’ll to make sure to report it. For more information on this, to get help if you’ve been infected or need to prevent these from happening in your company,  call us at (210) 273-4524 or Contact Us.