Email attachments and CryptoWall


The CryptoWall 3.0 virus has been circulating for a while now. I know it has affected a number of businesses in the Westman region. CryptoWall is spread primarily as an email attachment. Here's how the story went for one of my clients.

My client received what looked like a very legitimate email from someone with an attached resume. The attachment was a zip file which when opened installed the CryptoWall 3.0 virus on the computer. Clicking on the attachment appeared like it didn't do anything as the expected resume did not appear. However, that's all it took to install the virus.

CryptoWall 3.0 creates a private encryption key on the attacker's server and goes through all the folders of your computer encrypting them with that key. It also goes through the folders on any mapped network drives and encrypts them as well. Once the files have been encrypted, they are no longer useful to you. They can't be opened as the programs will now see them as invalid files. The only way to decrypt the files is with the public key the attacker has. In each of the folders with encrypted files, there are also a number of ransom notes named "HELP_DECRYPT". Those files give instructions about how to send the money to get the encryption key for your files. They have been asking for $500 USD if paid within 5 days or $1000 USD if paid after that.

Fortunately for my client, they had our Off-Site Backup service for their server. So, we were able to restore copies of all the files on the server from just minutes before the virus encrypted them. However, we did not have backup service on the computer which opened the email attachment. So, all they had left on that computer were some files they had recently backed up to a USB stick. We could have paid the money to the attacker to decrypt the files from that computer, but in this case my client felt it wasn't worth it. I'm glad the attacker didn't get any money out of this situation.

In each of the cases I have seen, this virus has arrived as an email attachment. Most of the time it has been an email claiming to have a resume attached.

Take away notes:
1) Be careful what email attachments you open.

– This one is so tricky because legitimate resumes often come from people we don't know and sometimes when we're not expecting them. The only thing that could have tipped this one off is that it was a zip file – which may be suspicious. The other thing is there was no other contact info such as a phone number, or introductory info in the body of the email.

2) Make sure you have a good backup plan in place.
– If you have a regular backup of your critical files, the effects of an attack such as this are greatly minimized. Being able to go back to the way things were just before the attack can help you get back up and running quickly.

3) Make sure you have good AntiVirus software installed on your computers.
– There is no perfect AntiVirus, and unfortunately the installed AntiVirus did not stop the attack in the example above. However, it did help with removing the virus. Of course this is not the only threat and a good AntiVirus will stop most of these attacks. The most recent Trend Micro Worry-Free Business Security has added features to help prevent this kind of attack.

4) Check your security policies.
– This attack could have been minimized if the user who opened the attachment did not have Administrative privileges on their local computer. On a Windows computer, only a user with Administrative privileges can install software. In larger organizations, most users don't have admin
privileges. However, in smaller businesses, it is very common for a user to have admin rights on their local computer so that they can install their own software and updates. Your network administrator can help with removing Admin rights for most if not all users.

Here's some more interesting reading about CryptoWall 3.0:

CryptoWall 3.0 is pretty scary stuff, but these tips should help minimize the potential risk to your business.