Security Alert: CryptoWall Ransomware

Fri., September 18, 2015

CryptoWall is a very serious security threat which is emerging on a global scale.  Here’s what you need to know right now!

The Danger: Industry security experts, law enforcement, and technology companies like Secant have unified to warn all organizations about this latest threat. CryptoWall is a virus that encrypts files on a compromised computer and any shared files on a network in an effort to extort money to ‘unlock’ your files.  New variants of the virus are being delivered several times a day, which makes it impossible for major antivirus manufacturers and advanced security vendors to stay ahead of the CryptoWall threat.

The Infection: This tenacious virus uses any means available for delivery. Most commonly it is delivered via an email attachment which can be anything from ZIP, PDF, or Microsoft Office files from people you know and trust, or Malware-infected online ads.    

How to Protect Yourself from CryptoWall: 

  1. Backups are critical: Your best protection is backing up your data. Ensure your critical data is backed up and that you can restore from your backups. Knowing how long it takes to restore your data will give you an indication of recovery time. 
  2. Email and Web Security: Trust but verify. If you receive an email attachment from an unknown sender, do not open the attachment. Even if you receive an email from someone you know but were not expecting the attachment, verify it with the sender by phone rather than email reply.
  3. Limit permissions: CryptoWall will encrypt whatever data is available to the infected user, either locally or on network resources. Limiting access for network users to only the data required for their job minimizes potential damage and reduces backup restoration time.

 How to Identify CryptoWall and What to Do 

If a CryptoWall infection occurs, it can be identified two simple ways.

  1. You are unable to open your documents; they are either inaccessible or damaged.
  2. You find files like “HOW TO DECRYPT YOUR FILES” in shared directories telling you how to pay the ransom.  Do not pay the ransom!

  Crypto Locker Files

If you’ve identified that you are a victim of CryptoWall, here is what you do.

  1. Identify: Verify which user is infected by checking ownership of the ‘HOW TO DECRYPT’ files.
  2. Lock Out: Make sure that user who is infected is logged out of their workstation and RDS or Citrix sessions.
  3. Restore: When you know you’ve stopped the encryption by identifying all infected users, it’s time identify what files have been damaged and restore from backups.
  4. Seek Expert Assistance: The best thing you can do is to immediately call Secant and get help as soon as possible. 800-875-4222 /