"CryptoWall 4.0 is the latest encrypting ransomware out right now and we've already observed it spreading. With the huge 'success' of CryptoWall 3.0, I anticipate this variant to be the number one threat to watch out for going into 2016.” – Tyler Moffitt - Sr. Threat Research Analyst, Webroot
Yep, it's back. According to researchers at Heimdal Security and Bitdefender, CryptoWall has returned, and version 4.0 - the latest release - is more aggravating than ever. Here's what business owners need to know to educate their clients and technicians.
Yesterday, I stumbled across the announcement in this article written by Bleeping Computer's editor, Lawrence Abrams. In his post, Abrams describes the features that make CryptoWall 4.0 your newest IT headache. So what sets this new version of ransomware apart?
What You Need to Know about CryptoWall 4.0
It has a New Name.
And that name is the help_your_files ransomware. Translation: "We're holding your files hostage. What are you gonna do about it?" Threat watchers discovered the resurgence of CryptoWall after receiving and examining multiple complaints from concerned users who hadn't heard of this strain of ransomware. So if your technicians are fielding calls with the same quandaries, let them know what they're dealing with. Additionally, update your File Screening to include this "help_your_files" phrase.
The Attack Vector is Still Email.
End users. When will they ever learn? While hacking schemes have certainly become more sophisticated over the years, sometimes it seems like an attacker could include a malicious link with "DON'T CLICK THIS - IT'S INCREDIBLY PHISHY" anchor text in size 72 pt. Comic Sans font...and people would still click it.
This is just another example of attackers exploiting the same user behavior. People have not learned and will not learn unless you teach them. Consider sending clients an email describing the top X ways attackers are targeting their inboxes and what NOT to do. Make sure to express the consequences in terms they'll understand - dollars and cents. With ransomware, the cost is not just the price of their locked data, but the time it takes to unlock it.
Filenames of Encrypted Files are Now Encrypted.
Now, your clients won't know which files they're locked out of. Filenames will appear as a random hodgepodge of letters and numbers, such as "2d8rm6.3a" and "7ahnw3c.2701u. LSKDFJLSDFJLSJ923293.ugh! By introducing another layer of encryption, attackers are banking on increased frustration from their victims, which might make infected clients even more desperate to pay the bitcoin ransom...before calling you. Act as their virtual Chief Information Officer (vCIO) and teach your end users about ransomware before they get hit. And don't just tell them, show them. Include screenshots of the encryption process. Browse our MSPedia article if you're looking for a digestible, high-level overview of the state of cybercrime today to pass on to clients!
Above all else, stress that payment will not help them in the end. The more money these attackers make from these schemes, the more incentivized they are to continue re-engineering and producing attacks. As Dark Reading's post references from the latest Cyber Threat Alliance figures, CryptoWall 3.0 has already succeeded in extorting $325 million from tens of thousands of victims internationally. These cybercriminals will keep collecting from your clients before you can stop payments, further funding future blackhat missions...unless you step in.
CryptoWall 4.0 Behaves Like Previous Versions.
Knowing how a virus behaves will always help your technicians address the issue more thoroughly. Malware analyst, programmer and ransomware fighter, Nathan Scott, found that the latest threat installs and communicates like previous CryptoWall editions. For a complete description of how CryptoWall communicates with the Command & Control Servers, the encryption means it uses, what it does once it's installed and more, read Bleeping Computer's original article here.
CryptoWall 4.0 also decrypts like its predecessors, using the same domain for victims to make payments, check payment status, redeem one free decryption (how generous) and submit support tickets. Here's a screenshot of that decryption service site, courtesy of Abrams' article:
The New Ransom Note Adds Insult to Injury.
Ok, maybe this isn't something you need to know, but the new language is certainly garnering a lot of anger and impulsive behavior. Dripping with smugness, the CryptoWall 4.0 ransom message takes pleasure in the fact that victims are locked out and even congratulates infected users for joining the CryptoWall community. Among a slew of taunting phrases, attackers are hitting your clients with lines like:
The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.
Together we make the Internet a better and safer place.
The attackers are so considerate, aren't they? They're definitely looking out for your clients by making them pay for their own company's intellectual property and then threatening complete file corruption should the victim try to restore files with third-party tools. Somebody's getting a card this holiday season!
What you should take away from this as business owners, however, is that the new ransom message is longer and more subtle than before. Put yourself in your user's positions, and assume you've never heard of CryptoWall, CryptoLocker or any other ransomware. Upon looking at a wall of text, you may just skim and see phrases like "purchase the software package," which seems legitimate. Again, this is textbook social engineering - attempting to gain trust by posing as a credible source. More of your users may be more likely to fall for this deception than CryptoWalls of past.
Your peers and antivirus vendor are some of your best support resources.
If you're a member of the Spiceworks online IT community, I highly recommend you follow this ongoing conversation about the latest CryptoWall 4.0 developments! IT professionals and vendors like Webroot antivirus are sharing best practices for virus prevention. Check out some of these contributions:
Bleeping Computer has also started this thread for CryptoWall 4.0 support.
But perhaps the most important thing to know is...
You Have to Offer Backup and Disaster Recovery (BDR) Services ASAP
The only way to recover files is by paying the ransom or restoring backed up data. Unfortunately, your clients may feel pressured into complying with the attacker's demands and paying for decryption to avoid costly downtime. Many are naive enough to believe that they'll only have to pay the attacker once, but these cybercriminals are just that...CRIMINALS! What prevents them from denying the decryption key and demanding more money? As your clients' trusted advisor, you really must emphasize this. So then that just leaves the other option - backing up customer data!
In a perfect world, you'd never have to lose sleep over anxieties related to user error, but it continues to be a leading contributor to data loss. According to IBM's "2014 Cyber Security Intelligence Index," 95% of all security incidents involve human error. No matter how often and accurately you communicate security risk prevalence and preventative measures (which you should be doing), someone will always fall for a scheme, both obvious and cleverly disguised. The fact of the matter is you can't deliver data loss prevention without offering backup and disaster recovery (BDR) services. Furthermore, you can use this latest instance of CryptoWall 4.0 to strengthen your argument that current and potential clients need BDR. Is it a sales strategy? Sure. Does it help strengthen your clients' defenses and minimize downtime, thus keeping their businesses up and profitable? You bet.