In the last few weeks we have received a half a dozen computers that were infected with a type of ransom ware that attacks your Word documents and Excel files. One of the computers also had the picture files infected. If you get infected with this ransom ware you will lose all access to your files. The infection will have to be removed but the damage to your data is irreversible. If you do not have a backup of your data to restore, your files are lost.
CryptoWall is a file-encrypting ransom ware program that was released around the end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.
When you are first infected with CryptoWall it will scan your computer for data files and “encrypt” them using RSA encryption so they can no longer be opened. Once the infection has encrypted the files on your computer drives, it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. The ransom cost starts at $500 USD and after 7days goes up to $1,000. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user.
CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will instead infect your computer with the CryptoWall infection and install malware files either in the “AppData“ or “Temp“ folders. Once infected, the installer will start to scan your computer’s drives for data files that it will encrypt. When the infection is scanning your computer, it will scan all drive letters on your computer including removable drives, network shares, or even Drop Box mappings. In summary, if there is a drive letter on your computer CryptoWall will scan it for data files.
When the infection has finished scanning your computer, it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this because you can potentially use shadow volume copies to restore your encrypted files.
Now that your computer’s data has been fully encrypted, it will display the DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML files that were created on your Desktop. These files contain information about what has happened to your data and instructions on how to pay the ransom. In most cases, once CryptoWall launches this document it will remove the infection files from your computer, as they are no longer necessary.
Unfortunately, at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. In addition, any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if you are lucky from Shadow Volume Copies.
In summary, even if you have a backup drive those backup files will be encrypted also. We would suggest that you only attach your backup drive during the backup and then remove it. DVD’s are a good choice to back-up your data on as they cannot be altered. System images are also a good choice because individual files cannot be accessed.
Unfortunately, their antivirus did not protect the infected machines that we serviced. Norton, McAfee, Microsoft Security Essentials (not a very effective antivirus) and Avast were ineffective. AVG (which we use and recommend) has so far not been tested. So you must protect your data now or take a chance on losing it. Good luck.
If you are in need of PC computer repair or services please visit Jester’s Computer Services located at 5135 Fairfield Road, Fairfield, PA. You can also reach Jester’s Computer Services by phone at (717) 642-6611 or send an email to: firstname.lastname@example.org
For help with learning how to use a PC computer, mobile technology, web design, or graphic design contact Jester’s Computer Tutor for help! You can also visit our website at www.thecomputertutor.info or like us on Facebook to receive free tips and tricks! You can contact the tutor via email at email@example.com or by phone at (717) HELP-4-ME or (717) 435-7463
By Bob Jester