CryptoWall is a file-encrypting ransomware program that was released around the end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. CryptoWall is also commonly confused with the CryptoLocker and CryptoDefense infections which are also very damaging.
When a computer is first infected with CryptoWall it will scan your computer for data files and "encrypt" them so they are no longer able to be opened. Once the infection has encrypted the files on your computer drives it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. Once the infection is removed (and providing you have a good backup system in place) files can at least be restored from the last backup however any changes in files will be lost. Clients on a Myrtec Managed Service have their backups, patch levels and antivirus software monitored to minimise the threat and possible damage caused by these infections however there are some additional tips to protect your computer:
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. This is generally the default configuration on most routers and firewall but may of been changed by IT Administrators or other staff.
- Enforce a strong password policy and choose a good password. Complex passwords that change regularly make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Turn off and remove unnecessary services and applications. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Software used to download illegal data from the internet (such as utorrent etc) should also be removed.
- Always keep your security patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. This would most likely include Windows Servers, SBS Servers or Web Servers. Software that is not supported or updated by vendors (such as Windows XP) should never be run
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate compromised computers quickly (by disconnecting the network cable or powering off) to prevent threats from spreading further. Perform a analysis and re-image the computers recovery media. If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Train employees not to open attachments or click on links in emails unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses and trusted. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched (such as Java or Flash).
- Continually monitor and test your backups. A backup is only as good as its ability to be restored and there should always be a full backup offsite at all times.
Please contact Myrtec if you would like to discuss running a vulnerability audit or if you would like any more information