Ransomware Warning: Creators – Beware!

Note: This post contains a little profanity, which isn’t usually like me. You’ve been warned.

As my day job now involves working at a computer service and repair shop, I often deal with the aftermath of infections: Viruses, malware, ransomware, you name it, we’re here to help remove it. All sales pitches aside (most of you would be well out of the range of our service center anyway) there is something I encountered for the first time that gave me pause:

CryptoWall 2.0. (This link points to an article about it, not the actual malware itself!)

CryptoWall 2.0 is the newest player in the filecrypt/filelocker malware category. And it can be a real pain in the ass. The original CryptoWall appeared in April of this year, and it worked very similarly to older malware programs like CryptoLocker. Essentially, they encrypt documents on your computer (text documents, pdfs, photos, spreadsheets, etc.). They then offer you the encryption key to unlock your files if you pay a ransom.

In the case of older malware like CryptoLocker, there exist utilities and even a website that can help you obtain a key free of charge. No such luck at this point with CryptoWall 2.0, especially because the newest version just came out last month and it uses RSA-2048 encryption. To crack this without the private key they generate for each computer, it would take potentially thousands of years to ‘brute force’ on today’s typical computer power. So it’s not happening. You could pay them the ransom (which starts at one rate and then climbs over time in an effort to get you to pay sooner than later) but that bites because then they win.

Sadly, right now there isn’t any way to unlock files without paying the ransom. But there are some things to know about it to help protect yourself.

1) How it Works

It’s usually infecting computers via email attachments that look important or business-oriented (invoices, purchase orders, etc.). When it executes on your computer, it looks for documents that it can encrypt, and then makes an encrypted copy of them. The originals are then securely deleted (so ordinary recovery/undelete software can’t find them) and a nifty, helpful DECRYPT_INSTRUCTIONS file is placed in every directory in which it found files.

Lastly, it deletes any Shadow Volume Copies (a nifty term for back up copies that Windows may create) to again prevent you from recovering non-encrypted versions of the files. And it doesn’t just hit the files on your C: drive – it searches all drives on a computer, including things mapped as ‘network drives.’ If you have a flash drive or android device mounted, it could encrypt those. If your Dropbox account is mapped as a network drive, it would try encrypting those as well. If you have a cloud storage device or removable hard drive or you map drives from other computers in your home or business to your machine, they are also at risk of being searched and encrypted.

2) What Happens Next

Once it runs, that’s usually the end of it. Unless it executes again more files or new files cannot be encrypted. It doesn’t spread like viruses do to other computers, so just because it may encrypt files on a drive that is shared with a network, that doesn’t mean it will also encrypt files on other computers that access that drive.

The only way to recover your documents is from backed up copies that weren’t affected by CryptoWall 2.0. And that can be problematic because if you are currently running a differential backup (a type of backup that checks for changes in a file and then updates/overwrites the back up with those newer versions) you run the risk that the backup software will identify your encrypted files as the latest and greatest version and (you guessed it!) possibly overwrite the backup with those useless, locked copies.

3) How To Recover

Your system needs to be cleaned and/or wiped for a Windows Reinstall to ensure that viruses or the encryption software is gone. Those files on there that are locked are (currently) lost until someone discovers a way to break the encryption or identify a weakness in the ransomware (or if you are desperate enough, you can pay them and currently they will actually provide you with the key and a utility to unlock your stuff).

You’ll need to restore from your backups to truly recover your documents in most cases. If your Dropbox or cloud storage service is affected, check if they have versioning which essentially means they keep multiple versions of your files for a time in case you accidentally overwrite something with an unwanted version. (Opening a word document, holding down backspace from the end of the document until all the text is gone and then saving it technically creates the newest version, but that doesn’t mean its the one you want to keep!) If they have versioning, like Dropbox does, you can view/restore previous versions of the files before they were encrypted.

4) How to Protect Yourself

There is a utility available from FoolishIT that is designed to help prevent programs like CryptoWall from executing. Like any utility, there could be consequences to using it since it works by limiting the ability of some programs to run on certain file paths of your system.

In closing, it would be devastating for most of us to risk losing access to ALL of the documents on our computer and potentially our backups. So be careful out there.

~ Meredith Purk