CryptoWall 3.0

CryptoWall 3.0

Internet threats constantly evolve and appear in different forms. The most recent threat to consumers is the latest strain of CryptoWall, a serious form of ransom malware. This type of malware has dire consequences for the work environment. It is launched when an unsuspecting user opens a seemingly legitimate email disguised as an “EFax” or “UPS Quantum Shipping” notification. The tracking, fax, and Dropbox links in the message contain no information; instead, they launch CryptoWall.

As you can see in these examples, the emails can appear VERY convincing. You can never be too careful about heeding warnings and identifying bogus emails. Always check the sender to determine whether or not the email is legitimate. Refrain from clicking on any links unless you are absolutely certain of their origin.

In cases such as these, the user is not initially privy to the actual impact of the email. What seemed to be a technical glitch at first glance is actually a hacker’s ransomware. The user is alerted to the problem when noticing a single file split into three-to four different file types. Once opened, the files launch a page similar to the one pasted below:

The user of the infected PC sees files named “HELP_DECRYPT.TXT/.HTML/.PNG/.URL” or “DECRYPT_INSTRUCTION.TXT/.HTML/.PNG/.URL” appear in groups of three or four. These are variations of the original file, which was locked down using RSA-2048 encryption and permanently deleted. The virus quickly migrates, moving from the local PC to corrupting files on mapped drive shares stored on a file server. While the virus remains limited to only the shared drives to which the infected user had access, significant damage is already done. The same principle applies when the virus encrypts an entire Dropbox; all files connected to the infected PC are at extreme risk. This scenario is a complete nightmare for any business.

Removing ransomware is extremely difficult and often requires a complete rebuild of the infected machine. That’s where ECHO Technology Solutions steps in. In this latest malware attack, a client was infected with CryptoWall 3.0. No commercial AV scanners, including Microsoft Safety Scanner, Malwarebytes, or AV/Bit Defender, could detect or remove the cleverly hidden cryptofile.dll file located in the system32 folder. The virus actually disabled AV Defender scanner and stopped real-time scans. While the antimalware Hitman Pro did detect the .dll file, it does not offer free removal. Partial removal only resulted in the virus rebuilding after a reboot of the infected system. Even removal attempts in safe mode failed! Despite the best efforts of ECHO’s Service Desk, the team spent hours trying to eliminate the malware, resolving in the end to save all salvageable files, wipe and rebuild the infected system.CryptoWall has limited file recovery options. Other than paying the ransom, which is not a failsafe option, the only known methods of recovery are using System Restore, Shadow Copies, or backup server restoration. Not many PC users have file-level backups, such as Volume Shadow Copy service, as this requires significant drive space to store the older versions. In some instances, previous copies are disabled by the virus itself. While most companies have some form of backup software, or Shadow Copies, or a combination of both, there are many smaller entities that tend to run lean and forego this type of safety net. It is these companies that are operating at the greatest level of risk. This is exactly why having a consultant like ECHO is essential.

Not only is ECHO proficient in security, architecture, and end-to-end IT solutions, but we also maintain the highest level of reactive support. In addition, we have a highly available team ready to mitigate and to help users resolve critical issues. Our Service Operations Center, Network Operations Center and Service Desk Operations offer highly skilled Tier 1 through Tier 3 escalation engineers. Our talented team specializes in resolving issues like CryptoLocker and CryptoWall and helps to maintain client systems through highly proactive efforts such as system patching, maintenance and problem remediation.For more information regarding CryptoWall, please refer to the following article:

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

If you have concerns about the safety of your systems and data, it is time to give ECHO a call!