Unless you’ve been living under a rock you’ve probably heard of the file-encrypting ransom-ware program called CryptoWall, It’s a piece of malicious kit used by an attacker to extort your hard-earned money from anyone unlucky enough to get hit by CryptoWall. Well for a short while CryptoWall was AWOL. On vacation so to speak, but it’s ugly head had re-surfaced back in January 2015, and had mutated into bigger, better (Or worse as is the case) and nastier than ever before. The latest iteration of this malware is dubbed CryptoWall 4.0.
What is CryptoWall 4.0
CryptoWall 4.0 is a more sophisticated mutation over its predecessors. There are a number of changes to the new version of CryptoWall. After encrypting the victims’ data files, it redirects the victim of the infected computer to a web site where the user must pay $500 in bit coins (Virtual Currency) in exchange for a decryption key. CryptoWall also hides behind two of the most popular anonymity networks, Tor and I2P (The invisible Internet project) making it virtually difficult to trace and track. God forbid you’re on a company network with network shares.
It has the ability to do tremendous damage to the entire network from one lonely infection on one not so isolated system. Simply put if your system with drive mappings gets infected, so will your data across the network which the infected system has access to. Rendering most of the data completely useless. With only two options to reverse the damage. And neither option is cheap, I talk about the options below for those that are interested.
Preventing CryptoWall Infections
Protecting against such attacks requires specialized skills and constant monitoring and management of your network and data, which is why it’s important to enlist the services of a Managed IT Services Company. If you’ve been unfortunate enough to have been a victim, then you’ll no doubt have noticed a few local files which seem odd, and out of place. Among the files left on the victims’ computer after their data is encrypted is a ransom note in .txt and .jpg format, which essentially instructs the victim to download the Tor browser and access a Tor hidden service directly if the Tor gateway URLs no longer work.
The new CryptoWall 4.0 goes one step further by hiding behind Tor, which then redirects the victim to the attackers’ web site which also hides behind I2P (The Invisible Internet Project) Another notable variation in the newly enhanced CryptoWall 4.0 release is that it’s much more stealthier than its predecessor. CryptoWall 4.0 has changed its file naming convention to the new format as listed below:
It’s named change is the least of your worries. The new CryptoWall 4.0 not only encrypts the actual contents of your files, but it also encrypts the file name, making it virtually impossible to recognize any file by its name. The makers of CtyptoWall are obviously running a software business with its constant evolution and updates. Once more point to note is that CryptoWall does not affect any system identified as using a Russian keyboard. CryptoWall is not the first malware program to use I2P, and it certainly will not be the last. In November 2013, security researchers reported that an online banking Trojan called i2Ninja was being advertised on cyber criminal forums.
The program communicated with a command-and-control server hosted on the I2P network, instead of Tor. Like Tor, the I2P network allows users to run hidden services such as web sites that are only accessible from within the network itself. With Tor, such web sites use the .onion pseudo-top-level domain, while with I2P they use .i2p. A new version of Silk Road, an online marketplace for illegal goods and services, was recently launched on I2P. The site was previously hosted on Tor and was shut down two times by the FBI.
Cyber criminals began distributing CryptoWall 3.0 back in January 2015, after around two months of inactivity that made researchers wonder whether the threat was gone. Like its predecessors, the new version is being distributed through drive-by download attacks that exploit vulnerabilities in outdated browser plug-ins or through other malware already installed on computers, researchers from Microsoft said Tuesday in a blog post. Just like its predecessor, CryptoWall 3.0, this new strain also connects to a series of compromised web pages to download the payload onto the targeted system.
These pages also tie the infected system into a botnet and use it to spread malware to other computers. Below you will find a short list of web pages which are infected and carry the new CryptoWall 4.0 payload. We advise that you block access to these sites to prevent accidental infections. DO NOT VISIT THE SITES.We are not responsible for the outcome. CAUTION – Here is a short list of these infected pages:
pastimefoods [.] com
19bee88 [.] Com
adrive62 [.] com
httthanglong [.] com
mofiaweb [.] com
image camera club [.] com
vk1001 [.] ru
tuvestir [.] com
parsimaj [.] com
frc-pr [.] com
www.frc-pr [.] com
adcconsulting [.] net
There are a number of ways a business can protect itself from a crypto wall like attack as listed below:
Install and Update Antivirus and Malware Protection
Whitelist which applications can run on a system, Making it virtually impossible to be affected by such attacks
iTenols System lockdown service safeguard a system from being infected and renders the rogue program useless
Domain group policy to prevent users from doing anything that is unauthorized
Network / Firewall security to prevent and protect the network as a whole with IPS (Intrusion Prevention) and IDS (Intrusion Detection)
According to researchers, depending on the victim’s location, the malware might also display the ransom note and instructions in a different language. For example, on his test system, he received the CryptoWall instructions in French. So how does one protect them selves from the extortion and destructive and disruptive nature of CryptoWall 4?
How To Decrypt CryptoWall Encrypted Data
Yes the section heading is a little misleading, but for good reason. There are countless searches on the web with victims of the crypto wall looking for a tool to miraculously return their data back with no cost or effort. Sorry to be the bearer of even more bad news, but there is no way on gods green earth any one can return your data with a tool which decrypts the CryptoWall Encrypted Data. So in short If you’re wondering about a CryptoWall Decryption Key Tool, Wonder no more, as there is no such thing. The encryption is too strong, and even if possible would take more time than you would be willing to wait while your business suffers. Depending on a number of factors, there is still a way to get your data back even if you don’t have a backup, however the method in discussion does rely on a number of factors such as size of storage drive, free storage available and the swiftness in which a recovery is initiated, as well as drive preservation after an infection.
For more information on recovering a CryptoWall Encrypted data call iTenol on (877) 948-3665 and let’s chat to see if we’re able to reverse the damage even if you don’t have a backup. Talking about backups, what is surprising to us is the number of business owners who feel their businesses are immune to such attacks as they see no value in being proactive and periodically backing up their data. If you’re one of the unlucky ones who is struck by this nasty malware, you better have had a good backup and disaster recovery plan for CryptoWall in place, because there are only two other ways to get your Ransomware encrypted files back. One is to pay the crooks $500 to provide the decryption keys, Which in its self is a security risk, and second is to engage the services of a data recovery company. Or face the reality of going out of business, or worse yet, being sued by your client and customers if you’re white collar professional such as a law firm, an accounting firm or medical practitioner to mention a few.
CryptoWall Removal Tool
If your computer/s or server/s are infected with CryptoWall, there are a few good tools you can use to perform a cleanup and removal of CryptoWall. You could also attempt a manual removal of CryptoWall. Our CryptoWall Removal Tool of choice is Malwarebytes. It’s free to use and does a very good job of cleaning your system of a variety of undesirable application and programs. If you’re a small business, with little to no IT support, give us a call to review your current BDR strategy to make sure that in event of such an attack, your business remains operational, and data loss is kept to a minimum.
Call iTenol Consulting today to learn how we can keep your business from being attacked and violated by such malware. Call us today at (877) 948-3665 and Protect again CryptoWall Ransomware.
We are a technology consulting company with a focus on helping our customers achieve measurable business results by leveraging the investment already made in their existing technology. We often times come across clients that have been wrongly advised and sold "STUFF" they can't use or never really needed. And in most cases, all they ever really needed was to re-augment their existing technology to drive business performance and enhance the bottom line.