We recently had a client hit with CryptoWall 3.0. If you haven’t heard of it, or its earlier variation, Cryptolocker, then you should listen up. This is a new and quite nasty version of malware that can hit your system from something as innocuous as a zipped up attachment in an email appearing to be a resume. You open the file, start reading what seems a legit resume, and you have no clue that you are quickly losing all access to your data. This is only the most basic way this kind of attack can hit, and as you’ll see it is very hard to defend against.
These programs are better known as ransomware, a virus-like attack that encrypts all the data on your computer, your Docs, Excel Spreadsheets, your photos and even your music, anything that is in the default locations that all users keep their data in Windows. It is locked with a highly encrypted key that is impossible to guess. Once locked, the only clue you have that you’ve been hit is when you attempt to launch a file and get told that it incompatible or it launches showing a bunch of gobbledy gook code instead of what you expect.
If you dig a bit you will actually find some new files in folders, ones with titles like “why can’t I access my files”. When you open that it will explain exactly what you’ve been hit with and telling you that you can get your files back just by paying a ransom, where you will be sent the decryption key if you pay up, usually in the $500-$750 range if you pay up within a week.
This link shows and explains in more technical detail how this works, but the designers of this have been quite ingenious in their implementation of the attack. If you don’t pay up within a certain period, they double the amount needed to decrypt your data.
So what to do? How do you protect yourself from this? Won’t your antivirus help? And what do you do if you DO get hit by it.
The trick with these attacks is that they are so advanced and so subtle that almost no antivirus tool can protect you from them. It comes down to what is the best antivirus tool of all, your own habits on the internet. The normal “rules” we give all of our clients still apply. Be suspicious of any attachments that come people you don’t know, even if it’s a supposed resume. If someone sends you a zipped file and you don’t know what it is FOR SURE, then delete it. Be aware that the risks involved with email, BitTorrents, and virtually any download that isn’t from a secured source are higher now than ever. Check updates on your OS, and your routers regularly. Just be warned that even then you might be hit, as the designers of this ransomware update it regularly.
So what happens if you do find yourself hit with this? Your first step is to stop whatever work you are doing, don’t even try to save anything you have been working on and shut down your system. Don’t try to navigate to any network mapped drives you may have, don’t try to open files in other directories. Shut down immediately and call your IT people (for example, Fix My Computer Now Inc.).
The safest way to deal with this is to do a complete wipe and rebuild of the affected system and then rely on your backup system to restore data that has been compromised. This is the reason we stress to every client that they need to have multiple backups running on even their most innocuous data. Do you have a drive attached that does regular system images? Both Windows 7 and Windows 8.1 have excellent built-in backup tools that can do this. Do you also use an online backup source to keep your most important data offsite and secure in case of break in or fire?
These backups are more important than ever with this kind of attack, as your best bet is to restore your data from a good and recent backup so that you don’t have worry about the ransom for your data. We will be checking on all our contract clients individually and beefing up their backups as needed, but if you don’t have any of these, you need to take a close look at your needs.
So what happens if you do get hit and you don’t have a viable backup to use? This is where the “honour among thieves” comes in. Don’t doubt for one minute that the people behind this are thieves, but their scam also requires some honour from them. If they demanded money and never provided the decryption keys, then very quickly people would just stop paying up. If they want the money to flow, they need to provide a way out. All reports we’ve seen so far show they have a centralized command and control that not only supplies a decryption key, but even offers tech support for how to do the decryption after you’ve paid up.
So there HAS to be honour with these thieves for the scam to work. Just don’t expect you’ll ever find where you money went, even if you contact law enforcement. Your payment will be laundered through so many bitcoin wallets, no one will figure out where it ends up at the end. You also need to be very careful on the method you use to pay (ie. don’t use a regular credit card). This is why your backups are so vital.
Trust us, there is a sense of accomplishment when you can see this hit, restore from a backup and get up and running within a few hours. It’s the best response to these thieves.
If you have questions or need assistance feel free to contact anyone one of us at Fix My Computer Now Inc.