Where did my data go?
You might remember a series of viruses (or trojan horses) which “deleted” your data files and charged a ransom to get them back. These were frightening, but not fatal because they only hid files and with the right software you could unhide the files after the machine was disinfected, and all was well.
The cybercriminals have upped their game, taken steroids, and have rolled out a version of the ransom scheme that has some real teeth. Cryptolocker, Simplelocker, CryptorBit, CryptoPrevent and the newer CryptoWall actually encrypt the files on the hard drive with a very hard to break password. When you try to open files, they are corrupted and can’t be read.
Dig a little bit and you’ll find a demand for 300 or 500 Euros in ransom, to be paid by untraceable Bitcoin payment. The longer you wait, the higher the ransom goes.
I have this! What do I do?
First – Immediately shut down, unplug your machine from the network connection, and unplug all USB or other drives attached to it. If you’re lucky, you have caught it before it has spread to all of your files and network drives (see below)
Second – Restart the machine in Safe mode (Win 7 :hit F8 repeatedly while booting until the choice to boot in Safe mode comes up or Win 8/10 Hold the Shift key down while you Restart with the Power onscreen icon, or otherwise refer to your machine’s instructions for the key combo). Check for files on your desktop or in folders named DECRYPT_INSTRUCTIONS If you have these, then you know you have been hit and you need to remove the malware. The latest version of Malwarebytes will remove it. Instructions here https://www.malwarebytes.org/
Third – while the encrypted files themselves are not dangerous, they are also probably irretrievably damaged. You are going to have to restore the machine from backups. Better yet would be to reformat the drive and install Windows from scratch, then retrieve your data files from known-good backups. To get a list of the files locked by CryptoWall, you can use a utility CWall from Bleepingcomputer.com
How do you get infected?
As with most Trojan horse schemes, these rely on tricking you into clicking on an email download or on a web ad to launch the trojan installer. This give the installer access to anything you can modify under your user permissions.
Why are you still an Admin?
Here is part of the problem. You most likely set up your computer with your own account as the Administrative user, giving yourself full rights to modifying the machine (installing programs, deleting files, editing registry, etc.) whenever you are logged in. Convenient, of course, but this also permits any malicious software the same rights and privileges if you launch them while logged in. Best practices are to have a separate Administrative user for doing software installs and maintenance, and demote your everyday log-in to a standard account without Admin privileges. Since your existing account is almost certainly an Admin account, you need to set up a second Admin account before you can change your daily account type to Standard user. Now you will have to log out and log back in as the Admin user each time you want to install software, but it also means that the malware cannot act behind your back when you are using your daily login.
Why are you still clicking on attachments and web ads and popups?
Make it a habit never to open attachments to emails until you have thoroughly confirmed the source. The latest trojans spread through any number of plausible Email messages, including “EFax” messages with attachments and phony PDF “invoices” or bank statements.
Web advertisements can be poisoned with malware, even if they are appearing on reputable websites (CryptoWall poisoned ads reportedly appear on sites including Disney, Facebook, and The Guardian). Many websites rent space on their page to advertising syndicators who then place ads from their clients into the page (without the site owner knowing necessarily what is going to appear). Criminals can easily put together a plausible looking ad for a product or service, which automatically redirects to a malware downloader.
You should be using Firefox with NoScript (see more info)
Blocking scripts from running doesn’t make you bulletproof, but it can alert you to unintended scripts trying to run on web pages, and it can block auto-running (drive-by download) script exploits.
I have antivirus software running, I should be fine, right?
Check that assumption at the door, along with the tinfoil hat.
First, an antivirus program generally does not protect you from installing software when you have initiated the install yourself (whether you knew what you were in for or whether you didn’t).
Second, AV software is continually playing catch-up with the criminals, and is always a step behind. Numerous organizations have been stung with CryptoWall even though they were running a commercial suite of AV software, including Symantec, AVG and TrendMicro.
Of course, keep your AV software up to date and active – just don’t rely on the assumption that it will catch everything.
Well, I have a backup. It’s a drag that I have to reformat and reload my operating system, but can’t I just restore my files and carry on?
This is a nice idea, and brownie points for having an up to date backup. But here’s where it gets really good — CryptoWall doesn’t just encrypt your files, it also encrypts any files on drives or on the network that your user has access to. You see that shiny new USB hard drive – or that Network Attached Storage (NAS) server on the network – that you installed to make sure that your files were securely backed up? If it’s set up to be online with your machine, and your user has write privileges, then chances are that CryptoWall will corrupt all your files on the backup, as well.
The malware goes through your folders and files in alphabetic order, so it will hit your Drive C: first. If you are lucky and stop it early, it may not have progressed to your backup drives and network drives.
Offline periodic backup is your saviour
So the CryptoWall malware can corrupt your machine and any backups that are online at the time. What the program cannot do is to encrypt a drive that is offline – that is, not attached and not running.
This means that it is even more important for you to have a backup drive (or three) that takes periodic backups of your machine, or of your NAS or fileserver, and then is turned off and disconnected, and/or taken offsite. I like some relatively inexpensive 3 or 4 TB USB external hard drives for this. They can be written to and then physically unplugged and/or carried offsite. Most NAS storage units these days have USB ports that you can use for writing a backup of the NAS unit.
Another option is to use cloud storage to keep your most important data offsite. The downside of cloud is that it is slow to write files to, can be limited in space and is tied to the performance of your internet connection.
I also like to recommend that data that is not being changed on a regular basis be burned onto DVD recordable disks for cataloging. Good candidates for DVD-R are any data which is archival, or time-based, such as accounting month- and year-end files, photos, archived documents, completed projects, and emails. The DVD-R provides a non-changeable snapshot in time of the files. They are cheap enough that you can burn multiple copies, and small enough to stash in a safe deposit box.
Whichever methods you use, remember one thing – if you back up data which has already been corrupted, then you will have a backup of corrupted data. So as soon as you discover that you have any corruption problem, Stop the backup process immediately and turn off any backup schedules. Nothing is more disheartening then finding out you have been hit, and then finding out that you just ruined your last good backup by overwriting it with bad data.
Also make sure that your Java and Web browser software is completely up to date, as one of the vectors for drive by downloads is unpatched Java and browser code. Or disable Java entirely.
And, in case I have to remind anyone, do not click on web ads or Google search results claiming to repair or remove CryptoWall or Cryptolocker – the chance that these themselves are malware download sites or bogus AV software sales sites is significantly higher than zero.
More information
Malwarebytes Cryptolocker blog
http://en.wikipedia.org/wiki/CryptoLocker