CryptoWall, the world’s most destructive ransomware, is back with a vengeance! The fourth iteration of the world’s worst ransomware Cryptowall has surfaced again and it’s really packing a 1-2 punch. Gnarlier encryption tactics and better evasion tricks that have fooled most current antivirus platforms.
Ransomware has ravaged the business community usually attacking end-user machines in targeted attacks that have literally cost millions of dollars in ransom payments made to criminals who have illegally encrypted mission critical files. The ransom fee is minuscule when compared with the lost wages and productivity suffered by these organizations!
The worst offenders remain at large including a single group who may be behind Cryptowall 3.0 and have made some US$325 million this year according to the Cyber Threat Alliance, dwarfing FBI June figures which noted it extorted some US$18 million from US victims alone in about a year.
Andra Zaharia of Denmark-based Heimdal Security says Cryptowall 4.0 is employing “vastly improved” communications and better code, so it can exloit more vulnerabilities. “Cryptowall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities,” Zaharia says. “It includes a modified protocol that enables it to avoid being detected, even by second generation enterprise firewall solutions. “This lowers detection rates significantly compared to the already successful Cryptowall 3.0 attacks.”
For example, the nasty-ware now alters filenames as well as file contents, so it’s harder for victims to work out what’s been encrypted. Ransom payments in the latest version are badged as a price tag for security software. Net scum are still communicating with Cryptowall 4.0 over Tor and using hacked web pages to deliver payloads that include botnet componentry to assist further malware delivery. Actors have tried various tactics to get ransomware on machines and thwart back up efforts.
One of the most unique was a variant that silently encrypted and decrypted databases on the fly in a bid to avoid detection. That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key. Another revealed last week threatened user data would be published online if a ransom was not paid. There is no indication the Chimera ransomware lived up to that capability according to analysis.
Best efforts at protecting against CryptoWall include a combination of software, administrative, and training strategies. Data Backup and strong retention policies are still your best option for recovering from an attack. A strong administrative policy is also crucial. The average business user usually does NOT need to be able to install or launch executables. Eliot Vancil of Dallas TX based Network Logic says “While we can no longer rely solely on traditional AV software, it’s still important to have a comprehensive software security stack. Many times this includes not only desktop AV, but also Malware detection, firewall level security, global threat products like OPENDNS Umbrella, and even whitelisting software like Lumension Endpoint Protection.”
It’s critically important that your continually train your staff on the importance of NOT opening emails, and especially attachments that you are not expecting. Companies like Paypal, ebay, and Bank of America will NEVER ask you to launch an attached file to update your account information. If you suspect that the email is legitimate, go to the website in question and login. If it’s something they need, they will ask you for this information when you login. Unfortunately even these best efforts aren’t fool proof and occasionally it happens. When you have to pay a ransom, it will be with a Bitcoin. If this is your first time ordering a Bitcoin, it can take up to a week to go through. Your business can’t afford to be down. It’s a good idea to have a few Bitcoins purchased in advance just in case.
Organizations have to be vigilant in all these areas to stand a chance against these emerging threats. Network Logic is ready to help you navigate these treacherous waters.