It has a new name.

help_your_files ransomware. Threat watchers discovered the resurgence of CryptoWall after receiving and examining multiple complaints from concerned users who hadn’t heard of the strain of ransomware. It literally snuck up on them.

The attack vector is still email.

CryptoWall 3.0 relied heavily on naive end users opening unfamiliar attachments in unfamiliar emails. The logic is like accepting an invite to free candy in a dark alleyway from a stranger. CryptoWall 4.0 is not different in this regard.

While hacking schemes are more sophisticated and targeted in today’s IT field, it really feels that an attacker could put in an email “DON’T CLICK THIS LINK BECAUSE I’LL DELETE ALL YOUR FILES AND PICTURES AND STEAL YOUR MONEY” in bold, large, red letters, and some end users will still click it (hold my beer and watch this).

CryptoWall 4.o builds on the social engineering aspect of attacks, and will continue to use email as the main transmission source. Bleeping Computer discovered the infected files were disguised as resumes enclosed in zipped email attachments. In reality, they were JavaScript files that downloaded the virus, and ran it. People, end users, have not learned, and will not learn unless we teach them to not take candy from strangers. A good way to teach end users to not open these emails: If you weren’t expecting it, don’t open it. Your companies, or worse your clients, revenue stream could be at risk.

It has upped the game to encrypt file names too!

Previous CrptoWall left the file names so you can see the files there, and salivate at getting them back, so you’d send money. This didn’t work to the hackers benefit in 3.0; you could pick and choose which files to attempt to de-crypt, since attempting all of them would take lots more time and money. Now, you won’t know which files you are locked out of, the file names will just appear randomly.

Cybercrime & Security Overviews: Terms, Trends, Statistics, and Takeaways

Worst part yet, paying the ransom doesn’t always help. The more money hackers make, the more incentivized they become. Plus, there is no guarantee they will comply with sending you the decryption key for your files. CryptoWall has already extorted $325 million from victims internationally, and not all have ended happily.


CryptoWall 4.0 behaves like previous versions.

This is probably the only good news a new CryptoWall comes to bear. Because it is transmitted, behaves, and communicates the same way 1.0, 2.0, & 3.0, it is predictable. While this is good news, it won’t stop it. The weak link here is the end user, but we can utilize tools like Spam Filtering, Antivirus and Content Filtering to give the user warning (like a police car and crime scene tap in front of the alley) and opportunity to stop the infection. We also know that a good online backup, like Carbonite, provides us with a fail safe to fall back on in the event of the worst.

Lets stop it.

Our first step in stopping any virus outbreak is user education. Just like it is important to teach children how to wash their hands to kill germs, it is important to teach users to think before they open emails or websites, especially ones they are not expecting. A lot of serious infections occur when the timing of a malicious email is just right, you were expecting a resume and the virus arrives disguised as a resume. It is important to pay attention to what you are opening and where you are going on the web today. Blind clicking is like driving too fast, you may get there quicker, but eventually it will catch up with you. In any event, we cannot depend on user intuition alone, we must use business-class protection, and we need it fast:

Office 365 spam filtering is one of the best, utilizing a combination of content analytics (reading the email for spam-like word and phrase combinations: You’ve won a million dollars! Just send us your social security number and claim your prize!) and malware scanning to protect users from getting malicious emails in the first place.

We can help with your move to Office 365!

AVG and St. Aubin Technologies have partnered together to offer AVG CloudCare to our clients! AVG CloudCare is an inclusive, centrally managed, Antivirus & Content Filter solution to protect your end users and business. AVG CloudCare provides top notch real-time protection to workstations and servers, scanning files and links before they are opened, stopping malicious programs from even entering your business network, along with generating email alerts about impending issues. Since CryptoWall utilizes a JavaScript file to download a virus installer via HTTP, the real-time virus scanner would stop the JavaScript program from even running, the Content Filter would stop the installer from even downloading, all you’ll get instant notification it stopped a user from creating a IT catastrophe on your network. Pretty sweet!

AVG and St. Aubin's Partnership with CloudCare

St. Aubin Technologies and Carbonite Online Backup have a long standing relationship, saving many of our clients gigabytes of data from being lost forever, which could have resulted in thousands, if not millions, of dollars in lost time and revenue. The effects of these saves continues on, even months after data is recovered. Carbonite is a major component in our recommended Business Disaster Recovery plans (BDR), providing protection when the absolute worst happens. We’ve always compared virus protection on workstations and servers to airbags in a car crash; if a user hits something hard enough, or mashes the gas pedal because they are in a hurry, the airbag can only do so much. Carbonite Backup is the ultimate protection for your files in the event of an infection.

Carbonite Backup can save you too!

By utilizing the full suite of data protection, Office 365 with enterprise-spam filtering, AVG CloudCare w/ Antivirus and Content Filtering, and Carbonite Online Backup, we can give our business networks a fighting chance in the ongoing war against evil computer viruses!


Comments are closed