-
Cryptowall 3.0 is a new variant of an encryption malware that surfaced in March of 2015. Infections come in via spam email campaigns, infected websites, malicious web advertising or bundled with other malware.
Once the Trojan has run on the infected computer, it creates multiple registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts particular file types on the computer and creates additional files (text, PDF, and HTML) with instructions on how to obtain the decryption key.
The Trojan attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.
This Trojan was designed to stop the user from accessing their files, and force them to pay the attacker to regain functionality. It does this by encrypting multiple files on the computer using a public/private key encryption with a 2048-bit RSA key.
Once the files are encrypted, the Trojan displays a text document or HTML page with a message. The message informs the user that their files have been encrypted and gives instructions on how to obtain the decryption key needed to unlock the files. It may also warn users that the decryption key will be deleted after a certain time period to pressure the user into paying sooner. The attacker may demand hundreds of US dollars in payment and the amount may increase after a specified time period.
The message also contains a link to a website where the user can make the payment. These sites are typically hosted on the anonymous Tor network, which helps the attacker hide their identity. The threat may ask the user to download a Tor network browser in order to view the site, though newer versions of the threat do not require the user to do this. The user may have to pay using cryptocurrencies such as bitcoin to further prevent the attacker’s identity from being traced.
Payment of the ransom is no guarantee that you will receive the key.
What is the best way to protect yourself from this type of Ransomware?
- Backup your data files, either to an offsite cloud service, a removable drive, or preferably, both.
- Delete spam before you even see it in your preview pane
- Install a good popup/ad blocker on your web browser. Different products work on different browsers, so I cannot give a comprehensive list here.
- Use caution when downloading “free” software. There are always stings attached. During installation, there will be check boxes (already filled in) for other “free” offers. These are never a good idea. Be especially wary of programs that claim to speed up your computer, clean your computer, or keep your drivers updated. These are almost always carriers of malware.
I have had several customers get his with these encryption viruses. Those who had good, regular backups were fine. Those who did not, lost most of their data.
If the preventative steps listed here seem a bit daunting, give us a call. We can set you up with a good cloud backup at a very low price, and harden your system to help prevent these attacks.
We'd love to hear your reaction
Send Cancel