Cryptowall 3, the latest incarnation of the Crowti family (Cryptolocker etc) of blackmail based malware, appears to be rampant at the moment. Its delivery method varies a little, but mostly it arrives in your inbox as a zip attachement, claiming to be an invoice or a CV. As we have seen, people seem to be very poor at recognising malevolent emails, so the criminals responsible for this little nasty are doing very well indeed.
If you open the attachment, nothing appears to happen, so the victim closes the email and continues with their day. Unfortunately, in the background, much is going on. The details can be found here, but in summary, a small amount of code contacts a Command & Control server and begins to assemble the malware on your PC. After it’s complete, it then looks for all drives on your system – including mapped network drives – and starts encrypting all your files.
Only when it completes its nefarious task does it throw a message up on your screen, before deleting itself. This is a very good argument for not leaving your PCs on all night – if this occurs during the day, you may notice files that have become unuseable and be able to mitigate the damage early. In the morning, it’s too late.
If you don’t have a backup, your *only* option is to pay the ransom. This is payable in Bitcoins, which are a pain in the neck to purchase for the first time and subsequently transfer to the ne’er-do-wells. So be prepared to be without your data for several days. Once you have got Bitcoins and paid the ransom, your key will be provided and you can decrypt your data. This may take many, many hours if you have a lot of files!
So – what can you do?
Firstly, block all zip attachments at your mail server – there are very few legitimate reasons to email zipped files these days, so it shouldn’t have any impact on your business. If you can’t do that, just delete the emails when they arrive.
Be wary of *all* attachments – .doc, .pdf, .dot, .xlm, .xls especially – and untick the option in Windows Explorer that says “Hide extensions for known file types”; this will allow you to see the true extension of an attachment and not a fake one.
Make sure you keep Flash, Java and Silverlight patched as these are exploited by Cryptowall and others.
Have a backup.
Definitely have a backup!