Emerging threat: CryptoWall


CryptoWall is a digital ransomware that encrypts files on the infected machine and any connected file shares or drives. CryptoWall is distributed through phishing emails, malicious advertisements, compromised web sites, and as fake updates for applications such as Adobe Reader, Adobe Flash, and Java. In June 2014, this malware spread through the RIG exploit kit. Malicious actors use compromised websites to host the RIG exploit kit, which then exploits vulnerabilities in Java, Silverlight, and Flash to deliver the CryptoWall payload to the victim. These vulnerabilities have all been patched, so maintaining up-to-date applications is vital to preventing successful exploitation.

Once the files are encrypted, CryptoWall displays a ransom notification. If the ransom is not paid within a specific timeframe, the ransom fee is doubled. Because the malware uses strong encryption, it is not feasible to decrypt the files without the key, which can only be obtained by paying a ransom. Open source reporting suggests that paying the ransom does not guarantee that the files will be restored. The only way to recover encrypted files without paying the ransom is to recover the files from off-box backups as all restore points on the machine are deleted by CryptoWall.

For more information, see http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99.

IACP Conference