Threat Name: CryptoWall 2.0
Threat Type: Ransomware
Primary target: Windows users
Date discovered: Version 1.0 – April 2014; Version 2.0 – Oct 2014
CryptoWall is the latest strain of ransomware to rise to prominence, extorting more than $1 million from victims and wreaking havoc on thousands of police departments, businesses, and individuals across the globe.
On the surface, CryptoWall is similar to its better-known predecessor Cryptolocker, another strain of crypto-ransomware. But there are many differences.
Victims are typically infected with CryptoWall by opening a malicious email attachment, though drive-by-downloads on websites are also possible. The email attachments are often zip files that contain executables disguised as PDFs.
Once on the system, CryptoWall scans all mapped drives and encrypts important files. A text file then opens to explain the situation: the victims’ files are encrypted and a ransom must be paid to unlock them. The ransom is typically $500 in Bitcoins, which will double if not paid within seven days.
Threat of a different color
A few features of CryptoWall 2.0 highlight the growing sophistication of ransomware. Information comes from a recent in-depth analysis:
- Avoids sandboxing – CryptoWall infection begins with a “dropper” that enters the user’s system. The dropper first checks whether it is operating in a virtual environment before downloading and installing the core malware files. If a virtual environment is detected, the download and installation do not occur.
- Disguises files – Critical parts of CryptoWall arrive with multiple layers of encryption. This is to avoid detection by security products.
- Tor network – CryptoWall uses the Tor anonymity network for its command-and-control communication. This makes it harder to find and shut down the ransomware’s servers.
- 32 bit and 64 bit – The malware can detect if it is in a 32-bit or 64-bit Windows environment and execute the corresponding version of its code.
How to remove CryptoWall
CryptoWall removal is typically not a challenge. A simple scan with free antivirus software like Malwarebytes can handle it in minutes.
The real challenge is how to decrypt files once they are locked. Even after the malware is removed, the files will remain encrypted. Unlocking them without a key is practically impossible.
Once files are locked, the only hope of unlocking them is to pay the ransom. This is likely to work but it is far from guaranteed and we do not recommend it (feeding criminals just makes them worse). A better idea is to remove the malware, delete the encrypted files, and restore them from backup if possible. You can find more information at Bleeping Computer.
How to prevent CryptoWall
The old adage that an ounce of prevention is worth a pound of cure could not be more right in this case. How to prevent and mitigate a CryptoWall infection:
Block – CryptoWall traffic is associated with IP 220.127.116.11/23. Block this IP range by adding it to your static blacklist.
Patch – Always maintain the latest versions of your firmware, antivirus, operating systems, and other systems. Routinely update as new patches become available.
Educate – Explain to users the dangers and warning signs of phishing emails and suspicious attachments.
Backup – Maintain backups of all important files both onsite and offsite. Test them often. Ensure they are configured to prevent backup of infected files.
Plan – Assume disaster is inevitable. Plan how you will respond.
Configure – Adjust security settings to prevent forced downloads.
Control – Use web filtering to control the sites users can access. Use egress or outbound traffic filtering to prevent connections to malicious hosts.