CryptoWall – How to prevent infection


To totally unlock this section you need to Log-in


Login

In the wake of the CryptoLocker (a malware spreaded in 2014) takedowns, a new challenger has arrived and is trying to take the crown of the ransomware kingdom. This malware, known as “CryptoWall” has stepped out of the shadows and flourished.

It has been so successful that in approximately five months, there have been almost 750,000 reported victims. To do some quick math, that’s roughly 5.5 billion files encrypted and more than $1 million collected in ransoms.

Similar to CryptoLocker, CryptoWall first scans the infected computer for files to encrypt. Once it has encrypted the files, it displays a message telling the victim how to access the decryption service and purchase the decryption program. Currently, the ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user.

An example message is included below:

CryptoWall - How to prevent infection

The most commonly reported distribution method is via emails with ZIP attachments that contain executables that are disguised as PDF files.

These PDF files pretend to be bills, invoices, purchase orders, or other professional communications. When you open the bogus PDF, it will execute the malware and infect your computer with CryptoWall. The malicious files are usually written to either the %AppData% or %Temp% folders.

After the malicious binaries are executed, they will scan all mounted drives including removable drives, network shares, and even cloud drive mappings (DropBox, etc.).

Similar to CryptoLocker, when CryptoWall finds a file to encrypt, it will add the full path to the file as a value under a registry key. The registry key that CryptoWall uses is “HKEY_CURRENT_USER\Software\\CRYPTLIST”.

It creates the files in each folder that files were encrypted and on the Windows desktop:

DECRYPT_INSTRUCTION.TXT

DECRYPT_INSTRUCTION.URL
DECRYPT_INSTRUCTION.HTML

When the infection has finished scanning the drives and encrypting what it can, it will delete all of the Shadow Volume Copies that it finds on the affected computer. This is a precautionary step taken to stop the user from recovering their files because you can potentially use shadow volume copies to restore your encrypted files.

Once your computer’s data has been encrypted, it will display the decryption instruction file that was created on your desktop that contains information about what has happened to your data and instructions on paying the ransom. So, what can you do about this new threat?

Some indicators, and paths, associated with CryptoWall are provided below.

The file paths that have been used by this infection and its droppers are:

C:\<random>\<random>.exe

C:\Users\<user>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<user>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<user>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<user>\Local Application Data\<random>.exe (XP)
%Temp%

Associated CryptoWall Files

%UserProfile%\Desktop\DECRYPT_INSTRUCTION.HTML

%UserProfile%\Desktop\DECRYPT_INSTRUCTION.TXT
%UserProfile%\Desktop\DECRYPT_INSTRUCTION.URL
C:\\<random>.exe

Associated CryptoWall Windows Registry Information

HKEY_CURRENT_USER\Software\<random>\CRYPTLIST

1 thought on “CryptoWall – How to prevent infection”

Comments are closed.