CryptoWall 4.0 — What We Know And Why Your Clients Need BDR

By Mary McCoy, Marketing Specialist, Continuum

Yep, it’s back. According to researchers at Heimdal Security and Bitdefender, CryptoWall has returned, and version 4.0 — the latest release — is more aggravating than ever. Here’s what business owners need to know to educate their clients and technicians.

I stumbled across the announcement in this article written by Bleeping Computer’s editor, Lawrence Abrams. In his post, Abrams describes the features that make CryptoWall 4.0 your newest IT headache. So what sets this new version of ransomware apart?

What You Need to Know about CryptoWall 4.0

• It Has A New Name. And that name is the help_your_files ransomware. Translation: “We’re holding your files hostage. What are you gonna do about it?” Threat watchers discovered the resurgence of CryptoWall after receiving and examining multiple complaints from concerned users who hadn’t heard of this strain of ransomware. So if your technicians are fielding calls with the same quandaries, let them know what they’re dealing with. Additionally, update your File Screening to include this “help_your_files” phrase.
   
• The Attack Vector Is Still Email. End users. When will they ever learn? While hacking schemes have certainly become more sophisticated over the years, sometimes it seems like an attacker could include a malicious link with “DON’T CLICK THIS — IT’S INCREDIBLY PHISHY” anchor text in size 72 pt. Comic Sans font ... and people would still click it. 

Yes, CryptoWall 4.0 keeps social engineering alive and well by continuing to use malicious email attachments as the trigger point. In analyzing samples, Bleeping Computer discovered the infected files were disguised as resumes enclosed in zipped email attachments. In reality, they “were actually JavaScript files that when executed would download an executable, save it to the Windows %Temp% folder, and then execute it.” Tricky.

This is just another example of attackers exploiting the same user behavior. People have not learned and will not learn unless you teach them. Consider sending clients an email describing the top X ways attackers are targeting their inboxes and what NOT to do. Make sure to express the consequences in terms they’ll understand — dollars and cents. With ransomware, the cost is not just the price of their locked data, but the time it takes to unlock it. 

• Filenames Of Encrypted Files Are Now Encrypted. Now, your clients won’t know which files they’re locked out of. Filenames will appear as a random hodgepodge of letters and numbers, such as “2d8rm6.3a” and “7ahnw3c.2701u. LSKDFJLSDFJLSJ923293.ugh! By introducing another layer of encryption, attackers are banking on increased frustration from their victims, which might make infected clients even more desperate to pay the bitcoin ransom ... before calling you. Act as their virtual chief information officer (vCIO) and teach your end users about ransomware before they get hit. And don’t just tell them, show them. Include screenshots of the encryption process. Browse our MSPedia article if you’re looking for a digestible, high-level overview of the state of cybercrime today to pass on to clients! 

Above all else, stress that payment will not help them in the end. The more money these attackers make from these schemes, the more incentivized they are to continue re-engineering and producing attacks. As Dark Reading’s post references from the latest Cyber Threat Alliance figures, CryptoWall 3.0 has already succeeded in extorting $325 million from tens of thousands of victims internationally. These cybercriminals will keep collecting from your clients before you can stop payments, further funding future blackhat missions ... unless you step in. 

• CryptoWall 4.0 Behaves Like Previous Versions. Knowing how a virus behaves will always help your technicians address the issue more thoroughly. Malware analyst, programmer and ransomware fighter, Nathan Scott, found that the latest threat installs and communicates like previous CryptoWall editions. For a complete description of how CryptoWall communicates with the Command & Control Servers, the encryption means it uses, what it does once it’s installed and more, read Bleeping Computer’s original article here.

CryptoWall 4.0 also decrypts like its predecessors, using the same domain for victims to make payments, check payment status, redeem one free decryption (how generous) and submit support tickets.

• The New Ransom Note Adds Insult to Injury. Ok, maybe this isn’t something you need to know, but the new language is certainly garnering a lot of anger and impulsive behavior. Dripping with smugness, the CryptoWall 4.0 ransom message takes pleasure in the fact that victims are locked out and even congratulates infected users for joining the CryptoWall community. Among a slew of taunting phrases, attackers are hitting your clients with lines like:

The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. 

Together we make the Internet a better and safer place.

The attackers are so considerate, aren’t they? They’re definitely looking out for your clients by making them pay for their own company’s intellectual property and then threatening complete file corruption should the victim try to restore files with third-party tools. Somebody’s getting a card this holiday season!

• What you should take away from this as business owners, however, is that the new ransom message is longer and more subtle than before. Put yourself in your user’s positions, and assume you’ve never heard of CryptoWall, CryptoLocker or any other ransomware. Upon looking at a wall of text, you may just skim and see phrases like “purchase the software package,” which seems legitimate. Again, this is textbook social engineering - attempting to gain trust by posing as a credible source. More of your users may be more likely to fall for this deception than CryptoWalls of past.
• Your Peers And Antivirus Vendors Are Some Of Your Best Support Resources. If you’re a member of the Spiceworks online IT community, I highly recommend you follow this ongoing conversation about the latest CryptoWall 4.0 developments! IT professionals and vendors like Webroot antivirus are sharing best practices for virus prevention.

Read Mary McCoy’s original blog post and comments at http://blog.continuum.net/cryptowall-4.0-what-we-know-why-your-clients-need-bdr