The Crypto Virus and Dropbox.

Today I want to share with you some “useful” information about the famous Crypto Virus and how it becomes also more dangerous when you use Dropbox shared folders.

The facts.

Last week one of our customers called us in panic because all of their files on one PC and some on another computer and a backup disk were gone. When we get there to check, we discovered that one of the PC has been infected with the Crypto Wall virus.  Now, all the files in the specific computer were encrypted and the extension of each encrypted file was changed to “.micro”. The bad thing is that on this computer is installed DROPBOX and there was one particular folder that was shared with other computers. Now, what the virus did was to encrypt the files on the shared folder, and obviously, once DROPBOX synchronize on other devices, all the others got the same encrypted version of the file. Usually you can recover an old version of the file from DROPBOX, but unfortunately, since the VIRUS delete the old file and create a new one encrypted; there is no history of the file!

Dropbox also has the “recovery deleted files” but unfortunately this option didn’t work either.

The Virus

This virus hit Windows systems running Windows 8, 7, XP and Vista. Much like its predecessor, this malware takes over your system restricting access to your files and folders until you pay a ransom.

cryptolocker-virus-1

Victims of CryptoWall are given a deadline to pay a $500 (or in some cases $600) ransom or it doubles to $1,000. We’ve also seen the decryption price reportedly increase by 3 times. If victims don’t pay up before the new due date (shown with a count-down timer), victims lose their files for good. Once the key to decrypt their files is deleted, those files are rendered useless.

How CryptoWall Spreads

This strain of ransomware, is distributed through a variety of sources including phishing emails, fake application updates and malicious ads on legitimate sites.

Phishing Email

The virus is spread by getting users to click on a link within an email that is disguised as a fax or voicemail notification or UPS shipment tracking notice. These emails often include a Dropbox link, a link to a .zip file or a shipment tracking link with varying subject lines such as “Incoming Fax Report…” or “Voice message from …” or “UPS Exception Notification” for example. Be on the lookout for these types of emails and immediately delete them from your system. Don’t think that just because the link is to a Dropbox or from someone you know that you are safe. Dropbox is a popular file sharing software that many of us use (me included), but you need to be careful to not click on these links. It is known that Cyber criminals are using Dropbox as their primary means of distributing the CryptoWall malware via email.

The infection

Once infected, an exploit kit called a RIG (first reported by Kahu Secuity) is inserted onto the victims computer. The kit checks for unpatched versions of Java, Flash, IE or Silverlight multimedia. If systems are unpatched, the system is immediately exploited, and requests are made to download CryptoWall. It has been reported to take up to 24 hours for the CryptoWall virus to download and install onto your system once you have been infected, so you may have a small window of opportunity once infected.

How CryptoWall Works

CryptoWall malware encrypts your local files, and demands you to pay a ransom to recover your files using a unique private decryption key housed on the Cyber criminal’s servers. At the time of our research, there were no known tools or solution to recover files encrypted with RSA-2048 encryption, without paying the ransom for the decryption key (stored on the CryptoWall Command-and-Control servers).

Once your files have been encrypted, you will receive a link to a TOR site (a browser that allows online anonymity). Cyber criminals use TOR sites to keep their identities hidden. You will be taken to a page that requires you to enter a CAPTCHA (where you are asked to type the letters of a distorted image) before presenting you with the ransom information.

CryptoWall Ransom

The ransom amount can vary (we have seen $500-$600), but if not paid by a specified time, it will double or even triple. You are asked to purchase a special software called a CryptoWall Decrypter, using bitcoin, which is supposed to allow you to decrypt your files.

CryptoWall uses Bitcoin

If the ransom is not paid, you can kiss your files goodbye. That being said, paying the ransom does not guarantee the restoration of your files, and by paying them, you are in essence supporting Cyber criminals. The fact that people are paying, further cements their belief that this type of business model works. It’s just something to think about. In my humble opinion, it’s better to be proactive than reactive on this one.

What can you to do prevent infections?

1.  Block Traffic from Known Fraudulent IP Addresses

It has been reported that there is a range of IP addresses that are owned and operated by criminal groups that contain a higher number of ransomware domains hosted on it. As a result, the Multi-State Sharing & Analysis Center (MS-ISAC) recommends the following:

Block traffic to/from IP address: 146.185.220.0/23 at your network perimeter.

2.  Click with Care

Since we know that CryptoWall is spread through malicious ads, presented on well-known and reputable sites, be careful what you click on. Most advertisers are legitimate, but unfortunately there are users who are abusing the system, using it as a means to lead users to malicious sites for the purpose of hijacking their files for ransom. For that reason, practice common sense and don’t click on ads you are uncertain about.

3.  Use Anti-Virus and Anti-Malware Software

A word of advice, not all anti-virus software will protect you from malware. You may also need anti-malware software. Check with your provider to see if they are staying on top of the new strains of Crypto malware. Also, make sure your software definitions stay up to date, so as to ensure that you are protected against any new threats that pop up.

4.  Keep Regular Backups of Your Data

The ideal situation is to be proactive here. Plan ahead and keep regular backups of your data. That way, should you become a victim of CryptoWall, you can just remove the ransomware virus from your system and restore your files from your backup. NovaStor offers an affordable PC backup software solution that will allow you to set up automatic backups of your files, and create disaster recovery image backups.

5.  Don’t Click on Suspicious Emails

If you receive any suspicious email, check the sender of the email to verify the legitimacy of the email and don’t click on the link if you are uncertain. Specifically, stay away from emails that are disguised as faxes, voicemails, or even UPS (especially if you are not waiting for a shipment), as these are known sources for spreading CryptoWall malware.

6.  Keep Patches Updated

Since it is a known fact that RIG exploit kits are targeting unpatched versions of Flash, Java and Silverlight multimedia, by all-means, keep these patches up to date.

Good Luck!