Defending against Cryptowall ransomware

In recent weeks we have been dealing with incidents of ransomware. The ransomware used in all of those incidents was Cryptowall 4.0 and its variants.

Techniques used to exploit the organizations included:

The compromise of sites that were categorized as non-malicious and allowed by the organization’s web filtering software
Using zero day variants of the ransomware so that existing anti-malware programmes did not detect or block it

The attack vector on the end user machine in all cases exploited unpatched adobe flash plugins on the end user’s browser to install the malware.

What is ransomware?

Ransomware is a type of malicious software (malware) which attempts to extort money from victims, typically by displaying an alert stating that the computer has been locked or that all files have been encrypted. A ransom is demanded to restore access.

“Your computer has been infected with a virus. Click here to resolve the issue”

“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine”

“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data”

The ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

How ransomware operates

protect against ransomware Ransomware is typically spread through phishing emails that contain malicious attachments, Web-based instant messaging applications and drive-by downloading. Drive-by downloading occurs when a user visits an infected website or clicks on an infected banner. The malware is downloaded and installed without their knowledge.

Ransomware can encrypt files on local computers, shared network drives, synced cloud accounts and removable media. It can harvest your data and send it to cybercriminal servers to use it in future attacks. It may destroy your data if the encryption key is faulty or not downloaded correctly.

Ransomware may further enlist your computer in a botnet and use its resources to launch attacks on other victims.

What's new in CryptoWall v4.0?

CryptoWall 4.0 is more difficult to protect against than its predecessor, CrptoWall 3.0, according to Heimdal Security.

The CryptoWall code has been enhanced in several ways. It includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions.

This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks.

The second enhancement is that CryptoWall 4.0 encrypts file names as well as data. In previous versions of CryptoWall file names were left intact, so a victim only noticed the problem was when attempting to open a file. Although this development be more frustrating for the victim as it makes it more difficult to know what files need to be recovered, it can serve as an early warning to shut down the box and limit the spread of the malware.

Impact

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the help of a data recovery specialist.

Businesses may face:

Temporary or permanent loss of sensitive or proprietary information
Disruption to regular operations
Financial losses incurred to restore systems and files
Potential reputational damage

Preventative measures you can take against Cryptowall 4.0

The following preventative measures are essential to protect computer networks from ransomware infection:

Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
Keep your operating system and software up-to-date with the latest patches. Ensure all browser plug-ins are up to date.
Never click on links in unsolicited emails. Security awareness training should be provided to all staff and their performance tested regularly through social engineering exercises.
Educate employees on safe practices when browsing the web and block uncategorized websites.
Use a whitelist for executable programs on end-users' systems to safeguard against infection.
Maintain up-to-date anti-virus software

Once data is encrypted, there is not a lot that can be done. Options include either formatting the system and restoring information from a backup or paying the ransom to get a decryption key. However, paying the ransom is not advised as there is no guarantee of receiving a decryption key and the payment process itself can lead to further infections.

All instances of fraud should be reported to the police.