CryptoWall: A Persistent and Growing Ransomware Threat
CryptoWall, a type of ransomware that first appeared in the fourth quarter of 2013, remains a significant threat. CryptoWall operates by encrypting its victims' files and demanding a ransom to decrypt them. Each ransom is usually set at a few hundred dollars, though the amount varies on a case-by-case basis.
In some instances, victims have been forced to pay thousands of dollars. However, paying up doesn't guarantee that victims will recover their data. Some victims never regain access to their files even after they have paid the money.
Researchers at Dell's Counter Threat Unit described CryptoWall as the largest, most devastating ransomware threat on the Internet. In an August 2014 report on the subject, they noted that in only 6 months, CryptoWall had infected around 625,000 systems, encrypted approximately 5.25 billion files, and netted criminals over $1.1 million.
Unfortunately, CryptoWall became more prolific in the months following Dell's report. In June 2015, the US Federal Bureau of Investigation (FBI) issued a public service announcement about CryptoWall, calling it the "most current and significant" piece of ransomware targeting US entities. According to the report, CryptoWall has cost nearly 1,000 American individuals and businesses over $18 million since April 2014. However, experts believe those numbers underrepresent the actual damage, since many victims may not have filed complaints with the FBI.
Many of these attacks involved newer versions of CryptoWall. While these versions work in largely the same fashion as their predecessors, they come with a few new twists, such as the ability to use anonymity networks like Tor or I2p to interact with infected hosts.
CryptoWall's Modus Operandi
CryptoWall typically infiltrates a system through infected email attachments. An attacker sends email messages to targets that appear to be sent from legitimate organizations, a method commonly referred to as phishing. Files attached to these messages are frequently disguised as bank invoices or user manuals. As a result, users unwittingly download hidden pieces of malware, leading to infection.
Attackers may also use compromised websites to trick their victims into downloading the ransomware. These websites claim to offer updates to popular programs such as Java, Flash Player or Adobe Reader.
In some cases, an ill-advised download isn't even necessary in order to spread ransomware. Instead, victims can become infected simply by visiting a website with a hidden pre-packaged method for sending malware. These malware packs are known as exploit kits, and they are a common line of attack in later versions of CryptoWall.
Once a system is infected, the hacker's remote server generates a pair of encryption keys. The public key is copied to the victim's computer and begins locking the files. The private key, which can unlock the files, remains on the hacker's remote server. While this method may sound simple, it is based upon industry standard techniques, and is effectively uncrackable.
After the encryption is complete, CryptoWall displays the ransom demand along with payment instructions and details about the attack. Victims are warned that their files have been "irrevocably changed," and they will not be able to access them unless payment is received. Failure to make payment after a certain timeframe leads to increases in the ransom amount. Eventually, the ransomware threatens to delete the private key, which would make the files unrecoverable.
Defense and Prevention
First and foremost, users should have current anti-virus software on their computers. In general, all software programs should be kept up-to-date with the latest security enhancements.
Suspicious websites should be avoided at all costs. Users should never open emails that appear suspect or were sent by entities that they don't trust. Similarly, they shouldn't download attachments that they're not expecting. These statements may seem intuitive, but the spread of ransomware is driven almost entirely by the behavior of careless and unsuspecting victims.
Finally, make sure critical data is regularly backed up and replicated to an off-site location. The backups, which should occur automatically without staff intervention, would enable a trivial recovery from attacks such as CryptoWall.
Threats like CryptoWall pose serious challenges to businesses across the globe. Being aware of these issues is the first step in combating them. For assistance with the prevention of CryptoWall, or possible recovery from it, contact us today.