Don’t let your files get kidnapped by CryptoWall

A new type of computer infection, CryptoWall, is making its presence known. Once it infects your computer, it quickly gets to work converting all of your personal data such as photos, documents and emails to an encrypted form that you can no longer use.

CryptoWall ransom screen
CryptoWall ransom screen

CryptoWall is a type of infection called ransomware. Ransomware locks your computer or its data until you pay a ransom to the perpetrators to release it. CryptoWall is a copycat of a similar infection called CryptoLocker that had run unhampered for 8 months and collected an estimated $10 million in ransom until it was shut down last week via a coordinated take down by US and other foreign authorities.

 Adding insult to injury

While we are able to remove the CryptoWall infection, it is not possible for anyone to unlock the data without the original code that was used to encrypt it. The only way to get that code is to pay the creators of the infection a 500 Euro (~$730AUD) ransom. But if you don’t pay within 5 days of being infected, the price jumps to 1,000 Euros (~$1,460AUD)!

Not even backups are safe!

Think you’re totally safe because you’ve been diligently backing up your data for years? Think again because the virus also encrypts files on any drive connected to the computer while it is infected. This includes your external backup drive, thumb/usb drives and any automatically syncing cloud storage you use.

 Search and destroy

Whilst encrypting files on your computer, the infection happily multi-tasks by seeking out other computers on your home/work network and begins encrypting their files, too. It doesn’t matter if the computer is connected via WiFi/wireless or with a cable directly to the modem, if it’s using the same modem as an infected computer, it can be infected too.

 What are the authorities saying?

Authorities have advised that people affected by ransomware do not resort to paying the ransom as this will only encourage the perpetrators.

However, there was a police department that was infected by CryptoLocker late last year and it ended up paying the ransom because their backups were also encrypted. Likewise, most businesses can’t do without their customer details, job and accounting data, so they’re likely to sacrifice some money to stop their business going bankrupt. Similarly, many home users may not be able to afford the ransom, but still resort to paying up in order to get their family photos back.

 How do I prevent this from happening?

If you do your best to follow the advice listed below, you won’t have a guarantee of avoiding this horrible infection, but you will seriously reduce your potential exposure to it.

1)      Out-of-date security software. Most of the big security software companies are saying that their antivirus software stops CryptoWall, so it is a good idea to have security software installed, updated, activated and with a current subscription (this year we are recommending Norton Internet Security).  Having said that though, there are reports from people using various brands of security software saying that their computer still got infected with CryptoWall. There is no way to tell if this is because they have done something wrong or if the security software doesn’t do what it should. Regardless, it’s still safer to have security software than not have it.

2)      Email attachments and links. CryptoWall can come from infected websites, but the most frequent source of infection is via attachments in fake emails purporting to be from parcel delivery companies such as USPS.

These days, there is no guarantee that even opening attachments in emails from your friends will be safe, so I can’t stress strongly enough not to fall into the trap of thinking, Well, I was expecting a parcel to arrive, so I guess that makes sense that I got an email from this courier company. Don’t open attachments in emails unless you are 100% sure it is safe.

3)      Attached backup drives. We always recommend that cloud storage be supplemented with physical onsite backups. CryptoWall can affect both of these, though, so it is important to make sure that your physical backup device is detached from your computer when not in use.  Most backups are set to run automatically so that you don’t have to worry about forgetting to actually run them, so, if you have to unplug them when they’re not in use, you’ll probably forget to plug them back in when they need to be used and you’ll end up with no backup at all. This means that a very convenient source of security for your data has suddenly become highly inconvenient.
The only work around to this is to leave your backup drive attached so that it can backup automatically, but get a second backup drive that you intermittently attach and detach for ad hoc backups. Better to have some data that is a little old but working rather than up-to-date data that is not accessible at all.

4)      Windows XP. This is a 12 year old version of Windows with lots of security vulnerabilities, so you should seriously think about upgrading to Windows 7 or 8 as soon as possible. If you’re willing to ignore that advice and continue the risk of using it, at least stop using Internet Explorer because in XP it can’t be updated to the current version, so has lots of problems. Download Mozilla Firefox or Google Chrome and use them instead.

Windows Vista and 7. Stop using the sidebar and widgets (those little apps like the large analog clock that show up on the right side of your screen). Microsoft has advised that the sidebar and widgets should be disabled because they have security vulnerabilities.

5)      CryptoPrevent. Finally, you can download a free program called CryptoPrevent that does its best to stop CryptoWall and related programs from running. It is not a panacea for all the problems created by this infection, but it may help stop CryptoWall from getting a foothold on your computer or, if it does still infect it, it may reduce its spread to other computers on your network. But remember, you will have to regularly update this utility to keep abreast of the changing nature of these infections. You can find CryptoPrevent at http://www.foolishit.com/vb6-projects/cryptoprevent/ .

Following the advice above will definitely help you avoid this nasty infection, but please be aware, the advice above is no guarantee of safety. Infections change all the time, so you have to stay on your toes and be sensible about what you do on the internet and when opening email.

Really, the only 100% totally effective way to avoid this infection is to disconnect your computer from your network… but who is going to do that when, these days, it’s almost pointless using a computer if you have no internet connection.

As always, if you don’t feel confident following the above advice or just don’t understand it, Geeks to the Rescue is here to help.