CryptoWall & Other Virus Threats Are Steadily Growing – Hitting Businesses Left and Right. Do You Know How to Protect Yourself?

CryptoWall is a ransomware/Internet malware threat that can be very disruptive and costly to those that become infected. Once infected, all files on the user’s workstation and server(s) are encrypted and can no longer be used. The threat is categorized as ransomware because, once the infection occurs, the victim is presented with a means with which to remove the threat and recover (decrypt) files by paying a ransom within a certain timeframe (often $500, $1000, or more). While paying the ransom can result in receiving the code to decrypt files, there’s no guarantee.

How does CryptoWall work?

The threat typically arrives via:

1. A carefully crafted email (typically spam) that entices the reader to click on a link.  This link will direct the machine to a site that will download and execute CryptoWall.
2. A website that has been compromised wherein CryptoWall will be downloaded and executed when the user unknowingly visits the compromised website.

Keep in mind, there have been reports that CryptoWall has been linked to some advertising sites that serve up advertising for many commonly used web sites.  If this situation occurs, following a link to what seems like a reputable site may cause an infection. There have also been reports that a compromised site may display a “faux pop-up” in an attempt to get the user to click on it.

As you might expect, spam engines are updated continuously, trying to eliminate spam and email that contains threats.  However, the “bad guys” are always trying to stay a step ahead of the spam removal systems and are continually re-crafting their emails to avoid detection and to entice the reader to click on a link that will cause the infection.

How will I know if my systems become infected?

There are a couple of ways the ransomware presents itself:

1. If you attempt to open certain file types (such as doc. xls, pdf, etc.), you will see garbled data or receive an error message.
2. The most common indication is that you will find three files at the root of every directory that contains files that were encrypted by CryptoWall:

*DECRYPT_INSTRUCTION.txt

*DECRYPT_INSTRUCTION.html

*DECRYPT_INSTRUCTION. url

If you click on any of these files, instructions will be presented regarding how to make the ransom payment.

What should I do if I think I’m infected?

If you believe you have been infected, physically disconnect your PC from the network immediately and contact CSP at (919) 424-2060. Depending upon your individual situation and the extent of the damage to your network resources, CSP will recommend the proper remediation steps.

If you suspect you have any other type of virus or malware infection, you should also contact CSP at (919) 424-2060 and CSP will recommend the proper diagnosis and remediation steps.

If you have opted to utilize the CSP-managed antivirus system, please be aware that CSP will automatically receive an alert if an infection is detected and will contact you to gather more information and to assist with remediation.

What can I do to prevent an infection?

The best way to prevent infection is to follow the following basic “safe computing practices:”

1. Only open emails and attachments from senders you know and trust: Cybercriminals rely on you to help them infect your computers. Do not open the following types of email attachments unless you’re positive they’ve come form a trusted sender:

• Executables – ending in .exe
• Zip file folders – ending in .zip
• Portable document files – ending in .pdf

2. Beware of unexpected emails that indicate urgent and/or important details: Spammers have refined their “human engineering skills” to entice users to click on links for more information. Beware of urgent and/or important email subjects, such as:

• “Your order has been canceled”
• “Your shipment has been delayed”
• “Your password has expired”
• “Your account has been blocked”

3. If something you receive in an email or that you come across online seems ‘too good to be true,’ is ‘free,’ or peaks your curiosity without basis, AVOID it completely: Do not download software or follow the directions of a suspicious pop-up screen.  Nothing is ‘free’ in today’s world . . . and clicking on a pop-up may initiate an infection.
4. If you receive an email from a financial institution or bank asking for information, do not click on any links in it:If you think it may be legitimate, go directly to your bank’s website to log in or call your bank on the phone.  Use these safe alternatives to verify any messages from a financial institution.
5. Only visit websites you know and trust: Enter website addresses directly into your browser and don’t click through multiple links on websites or advertisements to find your way to your final website destination. This will ensure that you actually land on the website you intended to visit and not a copy-cat site designed to either infect your machine or to steal your personal information.
6. If you are not sure about something you receive in an email or come across online, STOP immediately and contact CSP support at (919) 424-2060 for assistance: We are always here to help you.
7. Leave your workstations and laptops on at night to ensure you receive security updates and patches: CSP now checks workstations and laptops each night to see if there are any security updates that need to be downloaded and installed.  Starting at 8:00 PM Eastern Time each night, CSP systems interrogate each device that is powered on and downloads any necessary updates.  Beginning at 10:00 PM, any downloaded updates are installed.  All installs should be completed by midnight.  You should disable power management features on laptops to ensure that they stay “on” to receive the updates.  Please leave any powered on devices logged off.
8. Never update Adobe Flash from a web site other than Adobe: Counterfeit sites can offer to download Flash and then download an infected file. CSP performs patching/updates for certain third party applications, specifically Adobe Flash and Java, so you should not have to perform these updates yourself.  In some cases, updating these applications can cause issues with certain business applications. CSP does not update third party applications if we know this is the case.  If you suspect that this will be an issue, please contact CSP support to discuss.

How can I minimize loss of data in the event of infection?

The answer is simple: have up-to-date backups stored offsite. In most of the CryptoWall infections that CSP has responded to, the client has maintained a robust backup process managed by CSP.  When CryptoWall was detected and the threat removed from the systems, the most recent backup was restored and minimal data loss was experienced.  No payment of ransom was required.

Additionally, it is imperative that machines stay up-to-date with Microsoft updates, antivirus updates, third party software updates, etc. CSP-managed systems are set up to keep these machines up-to-date, if the machines are left on periodically at night (as described above) to receive the updates.

In summary…

The bad guys will continue to try to find new ways to make money by infecting your systems to either convince you to pay a ransom or steal your private information in an effort to make money (or take money) from your or your customer’s accounts. By putting the right protections in place and then following safe computing practices, you can prevent most infections and minimize the impact of those you and your users do get.

CSP would be happy to discuss your IT security needs. Please do not hesitate to contact us at (919) 424-2000 or send us an email: info@cspinc.com. Stay safe, and as always, thanks for choosing CSP!  

Michael Bowman
Virtual CIO
CSP, Inc.
919-424-2008
mbowman@cspinc.com