The Worst Virus I Have Ever Seen: Don’t get caught in it’s web
May 29, 2015
By John Carney
Carney Consulting, LLC
Cryptowall – Ransomware – RSA 2048-bit encryption
Do these terms mean anything to you? I hope not, because that would mean that you were unfortunate enough to be infected by this nasty virus (or, had seen it on a CSI type show). Cryptowall is a virus that is categorized as Ransomware. Once infected, the virus encrypts all the files on your computer and all the files on any attached disk drive using RSA 2048-bit encryption. In layman’s terms this means that all of your files are unreadable unless you have the key to decrypt the files. The only way to get that key is to pay $500 within 7 days to the people who initiated the virus. And if not paid within 7 days, the ransom goes up to $1000.
Sounds like a CSI show, doesn’t it? I assure you, it’s real. I have a client that recently was infected by this virus, and this is the first time I have seen it. I was able to recover some of the files on the disk, but not all. The only real way to recover all the files is to get the key, which means you would have to pay the $500 they are requesting. As of this moment no one has yet to come up with a way to generate a decrypt key for this virus.
If you do decide to pay the ransom for the key, how can you be sure you’ll get it? Again, unfortunately, there is no guarantee, and you have no recourse if the thieves (and they are thieves in this case) decide they don’t want to give it to you.
This virus is spread through email, usually in the form of a pdf document. Once opened, the virus encrypts your files, leaves you a note that you have been infected, gives instructions on how to pay the ransom, and creates a list of all the files encrypted in the registry.
So how do you avoid getting this virus? Even if you have firewalls, anti-virus, end-point security, heuristic analysis, blah blah blah, you can still get infected. The best way to be sure you never get this one is to never connect to the network, but that’s not very reasonable, is it? The number one method of prevention for this virus is user education. You have to be vigilant, and not open emails or attachments from people you do not know or that seem strange.
But, if the worst does happen, and you find yourself unfortunate enough to be targeted, option number two is to go to your backups, and I hope you have good backups. Because the best thing you can do once this happens is to reformat your hard drive to remove the virus and restore your files from your most recent backup. The only other option at this point is to pay the ransom, or find someone that is able to do a deep scan of your hard drive to recover any deleted files that may still be there.
As for the number two type of prevention, which is not a type of prevention at all, it is just a good practice. And, what makes a good backup? Well, that will be the topic of discussion in a future blog post.