Danger Will Robinson! Cryptowall!

It starts with an email informing you that you have a fax waiting to be retrieved. The email looks like this.

Clipboard01

The “Click here…” is a link to a dropbox file and looks like this:

http://www.dropbox.com/meta_dl (many random letters)

If you have made the unwise decision to click on it, you are directed to download a file. But it’s not a fax. It’s the Cryptowall virus.

Once downloaded and double-clicked, it immediately makes major changes to your PC. It removes all system restore checkpoints, disables your anti-virus and proceeds to encrypt all your data files. Once this is done, it very politely leaves a text file in each folder that it has encrypted. This text file explains what has just happened to you. Cryptowall also displays a similar message on the monitor. The polite message does not discuss the $500 ransom, payable in bitcoin. You’ll find that out when you visit their web site.

And what did just happen? Well, suddenly your data files like documents and PDFs cannot be opened any more. They are reported by the application as corrupted. That’s what happens when the files are encrypted.

The text of this polite message is shown below.

What happened to your files? All of your files were protected by a strong encryption with RSA-2048 using CryptoWall. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen? Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:

1.https://kpXXXXXr7jxqkilp.tor2www.com/7deY

2.https://kpXXXXXr7jxqkilp.tor2web.org/7deY

3.https://kpXXXXXr7jxqkilp.onion.to/7deY

It’s no longer the family dog or one of the kids. It’s your data. And they’re telling you the absolute truth. Other solutions do not exist.

So now you have two choices. You can visit their website and pay them $500 to decrypt your data. Or, you can kiss your data goodbye and recover from an online or detached backup drive (an attached backup drive will also be encrypted).

My client decided to kiss the data goodbye, as there were backups available. Then the issue became how to clean the PC. The PC was highly customized with several applications and strange printers that had taken a long time to install under Windows 7. The best option was to try to clean the PC. The virus leaves .DAT files laying around as well as a few executables. I slaved the hard drive to another PC and ran several scans using Malwarebytes, Avast and Norton, as well as a few manual scans looking for recently added .DLL and .EXE files. The user’s original profile was corrupted so I had to create a new one. And when logged in under his old profile, it was impossible to reinstall the Anti-virus. Under the new profile, it worked fine. I also did several other things that are beyond the scope of this posting. The purpose of this posting is how to be aware of the virus, and not details about how to fix it.

There are a few lessons here. First, do backups regularly! Use two external drives and alternate between them, either weekly or daily. Only attach them to the computer when actively performing the backup. Then detach. Also use an on-line backup. I recommend Carbonite because it’s so simple to use. But remember, your first line of defense is always your local backup.

Second, be very suspicious of any emails you are not expecting. In fact, be careful of emails that you are expecting or from people you know. Never click on attachments except data files like .doc or .pdf files. This virus is carefully crafted to have no attachments, so it fools people who know better than to click on attachments. Be vigilant!

Note to Insomniacs: I hope this post wasn’t too exciting for you. A very serious side purpose of this blog is to put insomniacs to sleep. I’d feel terrible knowing I played a part in having actually kept you up instead.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s