VIRUS ALERT: CryptoWall 3.0
We need to raise everyone’s awareness
We have been observing a sophisticated ransomware attack affecting our local community. The ransomware is called CryptoWall 3.0. If one of your computers becomes infected, CryptoWall encrypts your data, both on the infected computer and on all network shares that the user can access (including on your business server). Basically, this renders those business and personal files unusable unless you pay the hackers a ransom. Organizations without good backups can experience significant business disruption and potential data loss.
How does CryptoWall spread?
The main point of infection seems to be through harmful email attachments. The infected emails include a .ZIP attachment. Inside of the ZIP are files that appear to be PDF’s. While they look like innocent PDF’s, they are actually EXE’s (executable programs) in disguise. If a user clicks to open one, they are actually running the program, triggering the trap.
We aren’t fools; why would anyone open a random email attachment?
The old adage, “Only open emails from people you know” doesn’t work. CryptoWall infected emails appear to come from your coworkers, or clients. The body of the messages even sound business related.
Can we just block the emails? Won’t my antivirus software stop it?
CryptoWall is particularly stealthy and uses multiple, sophisticated methods to hide and protect itself. While it may be possible to manually create protections which target the most recent strain of CryptoWall, this malware has been evolving. Manual, “rifle shot” fixes will be difficult to maintain. This represents the cutting edge of hacking, and the hackers are doing everything they can to avoid detection.
What do I do if I think I have an infection?
CryptoWall 3.0 begins with a single point of infection – a single workstation/laptop. That machine then begins encrypting its own data and reaching out to servers and attached media to encrypt them. Disconnect the suspect system from the network immediately, turn it off, and contact us. It will only continue encrypting while the infected unit is on and connected to the network.
How do I protect myself from CryptoWall and my own employees?
For CryptoWall, one of the most important factors is user education. Be extra hesitant to open .ZIP or .PDF email attachments, even if they appear to be from trusted sources. Confirm that the sender really did email them, if possible. Also, ensure that you have good backups. In many cases following an infection, restoring the encrypted files represents the very first step toward getting a site back online. Lastly, stay on top of the basics: perform proactive maintenance, install software security patches, keep your antivirus up to date, use a web blocker, etc. When the next strain of ransomware