A Guide to Preventing and Recovering From CryptoWall

CryptoWall and its variants are classified as Trojans in that their malicious intent is often masked by something appearing legitimate.  CryptoWall encrypts files on the victims’ computer in hopes of extorting them for the encryption key.  This tactic is alarmingly effective, proven by the fact that there are numerous variants of CryptoWall, all of which perform the same function.

CryptoWall is designed to run undetected and therefore only attempts to encrypt files which are most likely to contain user data using the RSA-2048 encryption algorithm. This algorithm is exceptionally strong and is impossible to crack with current computational power.  The list below shows a list of file types that CryptoWall is most likely to encrypt.

  • OpenDocument Text
  • OpenDocument File
  • OpenDocument Presentation
  • Word Document
  • Excel Workbook
  • PowerPoint Presentation
  • Access Database
  • Text Document
  • PDF Document
  • Outlook Address Book
  • Outlook Personal Folders
  • Outlook Offline Folders
  • QuickBooks Company File
  • 3D Studio Images
  • RAW Image Format
  • Photoshop Document
  • Paint Shop Pro Image
  • JPEG Image
  • BAK Files
  • Java
  • C Source
  • C++ Source
  • Adobe Flash
  • Perl Script
  • AVI Video
  • Flash Video
  • MP4 Video
  • MP3 Audio
  • Wave Format Sound
  • FLAC Audio
  • Windows Media

How One Gets Infected

Like most forms of malware, CryptoWall typically spreads via a malicious email attachment, commonly disguised as a PDF document. Other sources of infection may be a malicious web site which employs a drive-by download or a malicious advertisement.

Once the PC gets infected, the malware begins by connecting to a ransom server where it sends some basic information of the infected PC. This information includes things like the public IP address, geographic location, system configuration and operating system information. The server will use this information to generate a unique identifier for the computer as well as a pair of random 2048-bit RSA keys. CryptoWall will then copy the public key to the computer and begin the process of encrypting files.

The malware first enumerates all mounted drives. This can include any internal hard drives, external hard drives or flash drives that are plugged in as well as any network drives which are mapped to a drive letter. Additionally, if you have your Dropbox account mapped as a drive letter, that location can also be encrypted. The rule of thumb is, if it has a drive letter, it can get encrypted. Any cloud storage services that store files locally will be affected since changes to the files will propagate to the cloud.

Once the encryption process has completed, some variations of CryptoWall will stop the Volume Shadow Copy Service (VSS) which can be found on all versions of Windows dating back to XP. VSS is responsible for the backup and restoration of files on a computer. It allows a file to be backed up even if that file is in use. A feature introduced in Windows 7, known as File Versioning, is also controlled by VSS. The purpose of File Versioning is to allow a file to be rolled back to a previous version should there be an unintended change to the file. CryptoWall stops this service and goes on to delete all shadow copies, rendering this method of recovery useless.

How Can I Prevent It?

Like all other malware, preventing CryptoWall is relatively easy. It starts with using a good antivirus program. Ideally, the definitions should update automatically and offer a real time scanner which will scan files any time they are touched. Coupled with your antivirus program should be a good anti-malware program. Again this should have automatic definition updates and a real time scanner.

Once you have that covered, a good backup strategy will be key. While some variations have been known to encrypt backup archives, it still isn’t a bad idea to have a good local backup. Pairing that with a cloud based backup solution which allows versioning will leave you best equipped to recover should you get infected. If cloud based backup sounds expensive, keep in mind that the ransom to retrieve your files pays for 8 years of CrashPlan.

If you’re an IT administrator or wish to further protect your PC, consider software restriction policies. These can be implemented in Group Policy if you’re on a corporate network or Local Security Policy if you want to protect your home PC. Whether you’re a home user or an IT admin, the process is very similar.

  1. Open Local Security Policy
  2. Right click on Software Restriction Policies and select New Software Restriction Policies
  3. Right click on Additional Rules and select New Path Rule
  4. Add a path rule for the paths below

Block executable in %AppData$

Path: %Appdata%\*.exe
Security Level: Disallowed

Block executable in %LocalAppData%

XP Path: %UserProfile%\Local Settings\*.exe
Vista+ Path: %LocalAppData%\*.exe
Security Level: Disallowed

Block executable in subfolder of %AppData%

Path: %AppData%\*\*.exe
Security Level: Disallowed

Block executable in subfolder of %LocalAppData%

XP Path: %UserProfile%\Local Settings\*\*.exe
Vista+ Path: %LocalAppData%\*\*.exe
Security Level: Disallowed

Block executables run from archive attachments opened with WinRAR:

XP Path: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Vista+ Path: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed

Block executables run from archive attachments opened with 7zip:

XP Path: %UserProfile%\Local Settings\Temp\7z*\*.exe
Vista+ Path: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed

Block executables run from archive attachments opened with WinZip:

XP Path: %UserProfile%\Local Settings\Temp\wz*\*.exe
Vista+ Path: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed

Block executables run from archive attachments opened using Windows built-in Zip support:

XP Path: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Vista+ Path: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed

These rules can cause issued when running some legitimate applications. Spotify comes to mind here. Additionally they can block attachments from being opened from within an email client.

How to Tell if Your PC is Infected

Typically, there are a few signs that indicate you have been hit with CryptoWall. These may include:

  • Receiving an error message indicating that the file cannot be opened when you try to open files.
  • Some variants will append an extenstion such as “.ccc”, “.abc” or “.xyz” to the files. This serves to make it more obvious that something is wrong with your PC.
  • You see files named “HELP_DECRYPT” or “DECRYPT_INSTRUCTION” on your computer.

If you open either of those files, you will be provided with instructions on how to recover your files. Typically this requires you going to a specific web site and paying the ransom using Bitcoin. The ransom starts at $500 and doubles to $1000 after a predetermined amount of time. After the ransom doubles, there will be a cutoff date. Once that date is reached, the remote server will delete your private key and decryption program, making recovery impossible.

Ok, I’m Infected. Now What?

First thing you want to do is to disconnect your PC from the network. This serves to prevent the virus from spreading to other PCs on the network and encrypting mapped network drives. Next you will want to restart the PC and boot it into safe mode. Using a computer with an internet connection – and one that is not infected – download antimalware utilities and their offline definition updates. Ones I like to use for this type of infection are Malwarebytes Anti-Malware and Combofix. Let both of these tools run and clean out the infection. You may need to perform additional scans with different scanning tools.

Once you clean your PC of the virus, the next step is to restore your files from backup. This is where having a good backup strategy in place really pays dividends. If you don’t have any backups, recovery becomes very difficult or impossible.

One option is to simply pay the ransom. I personally hate this option because paying the ransom only proves CryptoWall’s effectiveness. This should be avoided at all costs.

Since CryptoWall creates a copy of the file and encrypts that before deleting the original, you may be able to recover the deleted file by using a third party file recovery tool like Recuva. This method is limited in its effectiveness and only becomes more difficult the longer you use your PC after the infection has taken place. The way file deletion works is that only pointers to the file in the operating system are erased. The data is still physically on the disk. Recovery utilities read this physical data and attempt to recover files provided they haven’t been overwritten. This method WILL NOT WORK if your data was stored on a solid state drive or flash drive.

You may get lucky and either have a variant that doesn’t disable VSS and delete shadow copies or the virus simply wasn’t able to perform this task. If this happens, you could restore your files using shadow copies, previous versions or system restore.

Remember, that it is very important to thoroughly clean the computer of infection before restoring files. The virus could start encrypting files again and you’ll be right back where you started.

Have you been affected by CryptoWall? How did you recover from it? What practices do you take to prevent it in the future?