New Ransomware CryptoWall Comes With Nasty Twist
Stu Sjouwerman Jun 9, 2014 at 7:49 AM

There is a new ransomware strain called CryptoWall hitting organizations. Late April, the cyber criminals who developed the CryptoDefense ransomware released a new variant called CryptoWall. This strain is for the most part the same as CryptoDefense except another brand name, different filenames for the ransom instructions, and a whole new attack vector.

IT security pundits speculated that either the criminals released a new version because CryptoDefense was being blocked by endpoint protection software, or that they sold their source code to another cyber mafia.The bad news is that the earlier vulnerability of CryptoDefense has been fixed and you can no longer yourself decrypt files that are encrypted by CryptoWall.

This puppy comes with a nasty twist though, it no longer requires a user to open an infected attachment, but uses a fresh vulnerability in Java. Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others are leading people to sites that are CryptoWall infected and encrypt their drives. There is a massive attack reported by Cisco, and they have a heatmap with the countries primarily targeted. The US is, predictably, the most affected, with the UK coming in second. Map at the KnowBe4 Blog:

Since Cisco began blocking the attacks on April 24, its researchers said they had blocked requests to over 90 infected web domains for more than 17 percent of its cloud-security customer base. Mind you, Cisco’s customer base for their cloud web security is really large, so 17% is big numbers.

In the mean time, back at the ranch, ransomware grand-daddy CryptoLocker has continued to improve the quality of its spear-phishing attacks with fake fax announcement messages that start to look very real. They also improved their marketing, as the latest version provides a new feature which is a button that gives you the chance to “Decrypt 1 file for FREE” and is fully functional. Oh Joy.

If your network gets hit with this, look at time stamps and owner(s) of the decrypt_instructions files that were loaded to the (mapped) drives. That’s how you can identify which workstation it originally came from and (re-)train the user. Reformat/reimage their PC (a.k.a. “nuke from orbit”) and restore all the directories that have those encrypted files. Do a restore from a backup prior to the date you see listed on the file creations.

In case you do not have recent backups, pay the ransom and hope for the best. Surprisingly these criminals do their best to decrypt your files, it’s their “reputation” after all! But do not waste a crisis like this and use it to your advantage. Strengthen your policies and IT Best Practices. Keep your systems patched and your users on their toes with security top of mind!