Cryptowall – A new threat for 2017Rich Werk
CryptoWall 4.0 hitting Southwest Florida hard
While we’ve been hard at work servicing the IT needs of Southwest Florida (and redesigning the website), hackers have been hard at work. Around mid December, a new threat was released that’s been creating havoc for anyone who catches it. This piece of malware is called CryptoWall 4.0. It’s the newest update to a particularly nasty trojan — a class of malware that convinces the user to download and run it.
CryptoWall is part of a family of malware called “ransomware”. It earned this title because it makes threats and attempts to extort the person sitting at the computer. While most of these are benign, such as the one claiming to be the FBI, CryptoWall has a particular effective way of getting your attention: it encrypts your files so that you can’t access them. They claim to have the keys and a tool to decrypt, and you have to pay to get them. In older versions of CryptoWall, there were ways to recover your information through backups and a part of Windows called Shadow Copy. Occasionally you could have a technician recover the originals the way a technician could recover deleted files. That’s no longer the case.
Things have gotten far worse….
The 4.0 variant now encrypts your files, deletes any system restore/backups, and wipes the Shadow. To make matters worse, the original version kept your files as-is. That is to say, your “application.doc” would still be named “application.doc”. Now, however, it changes the name of the file and extension (.doc, in this case) to a random series of characters. This way, you don’t know what you’re recovering.
Getting the virus is actually very easy. Typically, the target receives an email with a zipped attachment (a .zip file). In that is a file that may appear totally benign. It may be called Resume or Application or something else that you may be inclined to open. The issue is that the file extension of that, which may appear to be .pdf or .docx may actually have an additional extension. Only the last extension matters. In this case, the second extension is .js. These files are typically used on websites to create interactive content. The code in the .js file opens a web browser and downloads the malicious code. This code then encrypts your data and sends the criminal the key. You are given a notice on how to pay.
In previous versions of a similar program, the server that had the keys was seized by the government and the keys were released. That has not happened yet with CryptoWall 4.0. That said, currently, the only way to recover the data is to pay — supposedly. The issue is that you have absolutely zero assurance that you will be able given the keys. Some researchers are attempting to gather the keys used to see if they are reused and will distribute those when they become available. For now, however, the only people who would have the keys are those monitoring every bit of their internet traffic and those who paid and were lucky enough to actually get them.
…and the bad guys, of course.