Remember Cryptolocker? It’s bigger, badder brother is in town… literally. We’ve had several local clients hit with this devastating ransomware.
CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications.
When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files either in the %AppData% or %Temp% folders. Once infected, the installer will start to scan your computer’s drives for data files that it will encrypt. When the infection is scanning your computer it will scan all drive letters on your computer including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer it will be scanned for data files by CryptoWall.
Below is an example of a CryptoWall-infecting email:
Steps to prevent CryptoWall and other ransomware:
1. Inform end users of this threat and how it appears in email form.
2. Enable a service like OpenDNS to prevent users on your network from visiting malicious websites.
3. Test and verify your backups in case you do get struck with ransomware. If you aren’t backing up regularly, start now.
4. Enable sandbox and antivirus features on your firewall.