If you’re in IT, you know that your family and friends will often rely on you to help out with some of their computer problems. This weekend I spent quite a few hours helping a distraught family friend who’s computer was suddenly telling them that they no longer have access to their files and that they have to pay someone $500 to get the access back!
It turns out there’s a terrible new type of malware infecting computers called “ransomware” and the description is entirely apropos. Malicious anonymous entities have taken your files hostage. How? By encrypting them with military and banking strength RSA-2048 encryption and hiding the key.
Getting Infected
There are several avenues to infection, however, the most common is by opening an infected attachment in an email. You may be familiar with the type of subject lines that accompany these attachments: “Incoming Fax Report”, “Download your Delta Airlines ticket #00723394” or “Court Appearance Notification”. Most people will have the sense to delete these, however a cunning subject line and a convincing “From:” line could entice just about anyone to open the email and infected attachment. Even I’ve done a double take and had to carefully examine the ones that say, “Your Paypal account has been suspended”!
E-mail isn’t the only way malware can infect your PC. Hijacked banner ads on websites can trigger the installation of these as well.
How do they work?
Once infected the malware runs through your entire hard drive seeking out documents and images. This can include, but is by no means limited to: docx, doc, xls, pdf, jpg, gif, png and ppt files. It creates an encrypted copy of every one of these files using a unique secret key and deletes the original. It does this in the background so you will likely not even know it has happened. It will also spider out an encode files on every mapped network folder it has access to including Dropbox!
Here’s the real kicker: it will also delete backups made by a common windows backup utility: Shadow Copy, so you’re not even left with a viable way to recovery your files!
So what can you do?
What I can tell you is that you cannot brute force decode the encoded files. RSA-2048 is simply too strong of an encryption method. It could take a hundred thousand years to do it! You really have limited methods of getting your file back:
- Use a viable backup
- Attempt to recover the original file that was deleted after an encrypted copy was made
- Pay the ransom
If you’re using shadow copies, you may not have a viable restore left if CryptoWall has run its course. Backups to other drives may survive if they’re not mapped at the time of infection. Cloud-based recovery services may also survive.
Because our friends weren’t doing backups, I attempted, without luck, to recover the deleted files using Ontrack Easy Restore and R-Studio Restore. Others have reported luck using this method, however, I was not able to recover any files using this method.
From the statistics I’ve seen, millions of dollars have been paid to the anonymous accounts to get the recovery tool and key files to decode their systems. While some, maybe even most, have reported successfully decrypting their files, some have also reported complete failure to do so, and it’s not like there is a support hotline you can call in the event of a problem.
A previous version of the CryptoWall software called “CryptoDefense” operated in the same manner, however, authorities managed to seize the culprit’s servers that contained the master keys and a public decrypting tool was able to be released. CryptoWall has not had such a breakthrough.
Prevention
These types of infections rely largely on human error or confusion. Ask your users to keep an eye out for — and to avoid clicking links in— emails containing suspicious Dropbox links that inform the user of a new voicemail or incoming fax report. Instruct your users to never open suspicious emails or attachments. Keep your antivirus and anti-malware software updated. Back up your data on regular basis. If you have a clean backup you can easily restore an infected users’ clean data without having to pay the ransom. For more suggestions, see "6 Things You Should Do Now to Defend Yourself from CryptoWall".
A useful link:
http://wyzguys.blogspot.com/2014/07/cryptowall-and-cryptolockerhow-to.html