Virus Alert & Analysis: Cryptowall

We were asked to help someone this morning as all of their files had been encrypted by the Cryptowall virus. Unfortunately we can't do anything to reverse the files encryption as this is one of the best designed examples of ransomware out there, but we can detail the infection to you and learn something about business network design.

To get onto the target computer a peice of dropper software (installed by using an exploit in a browser on a website) executes and scopes out the machine. This then downloads the Cryptowall executable which contacts the its command server and generates a public key which the software then uses to encrypt all the files and leaves a message asking for 500 EUR to get a program and the private key to decrypt them.

This is bad (obviously), but the most dangerous situation comes if the machine is connected to any shares on the network. It turns from being an small isolated pc being damaged to a large fileserver with centralised company data as the software goes through these shares and encrypts any files it has access to, possibly destroying everything if no backups are taken.

Today was lucky - we had backups (never pay these guys) and the damage was minimal due to the user very low rights but it still took a while to clear up. Unfortunately these attacks are only going to get more sophisticated and we strongly recommend that people either properly secure their public shares with fine grained permissions to limit damage if the worst should happen or use some sort of wrapper around the filesystem (like Sharepoint) and discard the windows shares all together.

Oh, and always - antivirus, app whitelisting (if on a domain) and most importantly, education and awareness by your users will prevent the infection in the first place!