Catalyst Blog

‹ Back to General

MALWARE 101: CryptoLocker & CryptoWall Explained

Posted on 29 October 2015


In late 2013, malware (malicious software) known as CryptoLocker was posted and proliferated throughout the Internet. Since then, many other variations and clones followed suit to varying degrees - including the similar, but unique CryptoWallmalware. While both received media coverage, information and details have been widely diluted causing many consumers confusion. Read on for Catalyst’s definitive guide to the CryptoLocker and CryptoWall viruses; and how to stop or reverse their effects.

In the beginning of November 2015 the developers of CryptoWall released a new version that people are calling CryptoWall 4.0. Compared to the previous version, there were some significant changes in this version such as file names now being encrypted, more robust backup copy deletions, new ransom note filenames, new payment gateways, and a redesign of the ransom note. Detailed information about the changes in CryptoWall 4.0 are discussed at the link we trust below:

Bleeping Computer Cryptowall 4.0 Details

The latest version of Cryptolocker / Cryptowall was updated to version 4.0+, and uses a Java security hole to infect your system, without even the need to download, or install anything. If you want more details on this version, please check these links:

CRYPTOLOCKER DETAILS

CryptoLocker has many vectors for infection, from file downloads of seemingly free files, to spreading through email attachments disguised as practical, mundane or otherwise harmless programs. Commonly, the e-mails come as an attachment as an ‘invoice’ from a “known” sender like a client or colleague, or a PDF file as a resume.

However when you open this file, it is not what it seems, and asks you to approve or enable macros before you can open the file. If you accept this - you have admin rights on your machine - this is the last time you will see your files.

The malware will instantly start to encrypt them and messages will appear demanding a significant ransom from the user in order to de-encrypt their files. Usually this is a ransom demanding 1 - 5 bitcoins ($400 – $1800 USD as of post date) to get your file access back; generally this will depend on the amount of data it was able to find and encrypt, and the file types that have been encrypted.

The ransom will typically double after 3 - 10 days; this will occur if the ransom:

  • has not been paid, or
  • the ransomware detects any attempt to circumvent the encryption.

So calling a professional is usually best if you do not have 100% faith in your backup system, or the backups are not working as intended for any reason.

The malware scans for specific files and blocks the user’s access with a private and unbreakable encryption key. It is estimated that this scam is the first ever to successfully monetize a virus, and has made millions as a result of desperate people who need their files back. This scam has also served to boost the value of the anonymous e-currency Bitcoin. It has been estimated that over 3.4 million has been generated by this form of ransomware.

CRYPTOWALL

Nearly identical to the defunct CryptoLocker, CryptoWall and the subsequent 2.0 and 3.0 versions created additional obstacles to users and IT professionals. Harder keys and advanced detection avoidance are features that have allowed CryptoWall to remain in operation. Its origin is still unknown.


More and more users are reporting attacks, despite having anti-virus installed and being cautious about unfamiliar email attachments. There is also a version that is simple to obtain from the web and is available for free on the deep web. This means it has become even easier for users with little to no IT background to hold a company for ransom.

HOW DO I REMOVE THIS?!

Acquiring malware can be alarming to users and companies alike. If you do not have backups of the files and servers that are impacted or access to a trusted professional with experience in this area, then your fate is pretty much sealed.

If you do not have backups, you should contact a professional right away, preferably someone with detailed encryption knowledge, and experience with this sort of ransomware. Call a professional immediately if:

  1.  A trusted advisor did not secure their backups properly and they are also encrypted, or they were not tested or not running.
  2. There were no backups running at all.
  3.  You restore from backup, but the files are being encrypted again within seconds.

Whatever you do, do not try to remove the virus from the machine. This will increase your ransom costs immediately, shorten your time span for recovery, and may cause the attacker to remove the private key file, rendering your files useless forever.

There are some other great guides online as well, that can help you learn more if you are looking for the fully detailed and nerdy details as well, here is a site we trust for information:

Bleeping Computer - What is Cryptolocker/Cryptowall?

YOU NEED A PROFESSIONAL

Catalyst Network Solutions has been handling these cases since they first started to appear back in late 2012 - early 2013, and we have successfully resolved over 50 of these cases for companies across Canada and the United States.

We are open 24/7 for network emergencies like these.

Catalyst Network Solutions can and will give you options to restore your files and protect you in the future. We are one of the few IT firms that can confidently perform this recovery. We guarantee it! If we cannot get your files back, we will not charge you for the recovery.

Catalyst has several solutions to augment your system to prevent from this sort of attack in the future. We can establish redundant and secure backups so you’ll bounce back from any malware attack with next to no downtime.

Don’t sacrifice your productivity! Contact Catalyst Network Solutions today for your comprehensive consultation and assessment.

Leave a Comment

Your comment will be submitted for approval before it is posted.

Validation Code