Ransomware Strikes Again - Cryptowall

Category: Security

Making regular backups of critical data and keeping your software up to date is more important than ever thanks to the arrival of new, “improved” malware like Cryptowall 2. This update to a well-known ransomware exploit is making life miserable for business and personal computer users worldwide. Here's what you need to know...

What is Cryptowall 2 Ransomware?

Last summer, authorities busted the cybercriminals behind the CryptoLocker virus, and shut down that threat. But a new variant called Cryptowall 2 has emerged from the dark corners of the Internet.

Like its predecessor, Cryptowall 2 encrypts everything on an infected hard drive and displays a “ransom note” to the hapless user. The extortion is simple: pay several hundred dollars by a specified deadline or you’ll never get the key that unlocks your encrypted data. The payment method is anything but simple for the typical victim.

Cryptowall 2 is elaborately designed to avoid detection by security software and to conceal the identities and locations of its masters. Part of this stealth strategy is to require ransom payment in Bitcoin, the virtual crypto-currency. Most citizens and even IT geeks have no clue how to get Bitcoin; even if you know, converting real currency into Bitcoin is not convenient or fast.
Cryptowall Ransomware

Victims first have to locate an online Bitcoin currency exchange, then apply for an account. The exchanges conduct “background checks” to protect their dubious users from law enforcement agents. Approval can take days during which one’s computer (or an entire company network) is less useful than a flower pot.

Another barrier to paying is Cryptowall 2’s complicated instructions for using the Tor proxy network to connect to the attacker(s)’ site and make the payment. Victims must download and install the Tor browser (a copy of which may well be hosted by the attacker(s) and infected with more malware), then follow a link through the often-unreliable Tor network to the attacker(s)’ site. If the connection fails, victims must try later.

As if that isn’t enough, a Cryptowall 3 version appeared in recent days. Its only “improvement” seems to be the addition of the Invisible Internet Project (I2P) proxy network to the things that can go wrong with a payment attempt. The payment link provided by Cryptowall runs a victim through several Tor proxies and then hands the connection off to I2P, which has its own ways of failing.

Is There Any Guarantee?

If a victim jumps through all of these hoops and pays the ransom there is no guarantee that the key to unlock the encrypted data will be delivered. So far, the bad guys have honored their end of the deal, presumably because not doing so would quickly become well-known and ransom payments would dry up. But if anything should happen to the bad guys – like a sudden police raid – those who pay the ransom will never see a key.

The best way to deal with Cryptowall is to avoid it at all costs. That means keeping your defenses up on all fronts. Think before you click on unknown links or email attachments. Keep your operating system and application software up to date with security patches. Use a comprehensive internet security suite that watches for things like Cryptowall in email, Web, external storage devices, and every other vector by which malware can enter your system.

Follow these links to learn how and where you can get free tools to protect your computer:

The only thing I'd recommend as an extra layer of protection is a little program called CryptoPrevent, which modifies some Windows settings to prevent infection by Cryptolocker and related malware. Note that there are both Free and Premium versions of CryptoPrevent.

And of course, if you have a full system backup available, you needn't worry about CryptoWhatever ransomware, even if it does manage to slip past your defenses. Instead of paying the $500 or $1000 ransom, you'll just fire up your backup software, and restore everything from your most recent backup. If you're not making backups, I recommend that you get my ebook Everything You Need to Know About BACKUPS.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 20 Jan 2015

For Fun: Buy Bob a Snickers.

Prev Article:
I Didn't ASK For This!

The Top Twenty
Next Article:
Add THIS to Your Anti-Malware Arsenal

Most recent comments on "Ransomware Strikes Again - Cryptowall "

Posted by:

20 Jan 2015

The way the Bitcoin is dropping they're going to have to figure out a new payment method.

Posted by:

20 Jan 2015

It still attacks just Windows, though, right?

Posted by:

20 Jan 2015

Can/will the Cryptolocker thieves be able to steal your personal data if you don't pay them?

EDITOR'S NOTE: They're not interested in your personal data. When the virus strikes, you hard drive is encrypted, and you must pay to get the decryption key.

Posted by:

20 Jan 2015

"But if anything should happen to the bad guys – like a sudden police raid – those who pay the ransom will never see a key."

Given that the perps are probably someplace like the former Soviet Union, where the authorities don't really give a flying you-know-what about what they might do to westerners (and ransoms are perfectly good foreign exchange, anyway), the odds of their actually getting busted seem rather remote. ;)

Posted by:

20 Jan 2015

It's odd, Bob. ... As I write this message, there have been four comments posted prior to mine. Not one of the comments says the writer will be taking action!

One wonders if they'll someday be asked to pay ransom in something other than Bitcoins. Another asks if they're safe if they don't use Windows. A third wonders what else will go wrong if they become a victim and don't pay the ransom. And the fourth wrote to say say the bad guys probably won't get caught. In my opinion, they're all missing the point.

Your point, Bob, as I see it, is that it is not particularly difficult to protect your system from this kind of nastyware.

And when you've done that, all these other questions become irrelevant.

Thank you for letting me vent. ;-)


Posted by:

20 Jan 2015

Bob, I use Malwarebytes Anti-Malware and adwcleaner to control my malware issues. Your comments please.


Posted by:

Jim 2
20 Jan 2015

Does the malware attack an attached USB connected hard drive if that is what you use as backup? Or should you disconnect the drive while surfing?

Posted by:

20 Jan 2015

whew! after SO much reading it struck me in a very dark humor way - so THIS is where Doctor Bob Makes his million and disappears to his private island full of babes and sail boat and his private chopper (the only ways on and off the Island) -- and with a Tequila so cold it's dripping ice drops in one hand and the other fingering his bucket loads of bit-coins gives his diabolical laugh Bruhahahahahaha! "They bought my book on how to image an entire hard drive THEN downloaded MY CryptoSUPERWALL-4 before they actually read a word of my new books - bruhahahahaah! I'm RETIRED!!!!!! Bruhahahahahaah! That's ONE Doctorate that paid itself off inside a couple of years!!!! BRUHAHAHAHAHAHA!" As the sun sets gently in the west and a perfume scented evening wing picks up as it does every afternoon about now . . . . .

EDITOR'S NOTE: And then I awoke... :-)

Posted by:

Fred Cherney
21 Jan 2015

I'm a senior who fell for the phone scheme - We're from Microsoft and are following up on error messages.
Got locked out of my computer and told to call a phone number with my credit card in hand.
I ran FixMeStick and the lock disappeared and the computer was running as well as before the attack. I highly recommend this product for external virus checks. Fred

Posted by:

21 Jan 2015

The way this is being reported I reckon it's odds on it's an Islamist terrorist run setup. Complete lash up.It appears there isn't much intelligence involved.Probably a fifteen year old with too much spare time on his hands has programmed it.That was the easy bit. Getting the ransom is more of a problem, which the perpetrators have not got sorted! This is scary to say the least.I like to go back to the 90's when the internet was interesting and this type of problem didn't exist. Will those halcyon days ever return? Probably not.

Posted by:

25 Jan 2015

Thanks for the informative and very important article on this growing problem. I helped a company get through a cryptowall 2 incident, and it was not fun. FBI couldn't help as they were also working on a solution. We paid the bad guys in bitcoins, which was not easy to do and took a lot of time (weeks). The whole thing took a month to accomplish, and almost went past the deadline the bad guys established. Like you said, the best thing you can do is to prevent getting caught with your pants down, and have reliable backups to revert to if this happens to you. That being said, this randsomeware can hit your attached backups and online backup copies, so have OFFLINE/Disconnected backups too. In other words, have a backup drive that stays disconnected between backups. I think you've mentioned this in previous articles. Just wanted to stress this point.

Posted by:

26 Jan 2015

I just got hit with this on my Win 8 PC running McAfee and Malwarebytes.
First thing I noticed was sluggish Internet. Virus ate up all my bandwidth. Then i noticed (in Task manager) a number of processes running which bogged down my computer: COM Surrogate (32 bit); CTF Loader; DVD Upgrade; FIXMAPI; etc. I also noticed that my browsing history was regularly deleted and that my IE security settings were changed daily (if not more frequently).

Ran numerous scans to no effect. Neither security program found Ransonware until it was too late.

My question, Bob,is this: why wouldn't my backup also be encrypted with Ransomware? If my (WD) BU drive backs up files every time they are changed, why wouldn't they end up backing up the encrypted files instead of retaining the original (unencrypted) ones?

Needless to say, this is a nightmare, but I reufuse to pay these thugs unless I have no other option.

Posted by:

26 Jan 2015

The other thing I noticed was that the number of file scanned by McAfee kept increasing exponentially.

Normally, McAfee would say it had scanned about 650,000 files on my computer. During this issue, that number increased to about 980,000 and then over 1,250,000. It makes me wonder if, somehow, the original unencrypted files still exist on my computer and that new "files" were created in their place?

Do you have nay insight into the near doubling of files on my computer during this process?

Anyway, I'm providing all this info in the hope that it provides some insight into the way these viruses operate and in the hope that this information might help prevent them in the future.

Posted by:

05 Oct 2015

Wow thhis is weird... i just loooked in my spam today earlier and there was a threatening email saying that this femalle got into my info thru a cloothes site, i dont go to, and said she was able to get into my facebook acct and copied off alll the private info ive got on their an unless i pay to bitcoin? she was going to go to myfamily an tell them everything and go to my love interest an make sure theres a divorce. she went on, i just blocked her emails due to the fact ive never been on the site shhe mentioned, im hardly on my facebook and even if i was ive bbeen single and tootally devoted to my kids and my dad so their been NO DARN JUICE in my life let alone on my facebook! the last reason is i havent been married since 1997. lol so if she was on my fb then she would have known im pretty boring! but that is weird how i just read this article right after i by chance read the ransom bitcoin email in my spam. i also have a chromebookk and they dont get viruses right?!

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Ransomware Strikes Again - Cryptowall (Posted: 20 Jan 2015)
Source: https://askbobrankin.com/ransomware_strikes_again_cryptowall_.html
Copyright © 2005 - Bob Rankin - All Rights Reserved