Nasty Computer Virus File Seizing Encryption Malware

There has been an increasing incidence of a very nasty computer virus malware (ultimately very costly to the victims as they are subject to ransom demands) called CryptoWall. The Law Society of BC highlighted this in its Spring 2015 Bencher’s Bulletin. This is a synopsis of that article. The malware is a threat to all enterprises and individuals, not just lawyers and law firms.

It is most typically spread through email as an attachment and from infected websites that pass on the virus (beware “surfing” on work computers).

Once it is on a computer, it searches for and encrypts files (such that they are no longer accessible) located just about anywhere files can be found including shared network drives, USB drives, external hard drives, and some cloud storage drives. The perpetrator starts out demanding a ransom (typically around $500 USD or Bitcoins which is an untraceable currency) and may increase the amount as the deadline for payment nears.

Once Cryptowall encrypts your files, there is no known way to “unencrypt” them (without at least paying the ransom and hoping to receive the private de-cryption key). Of course, if you have a backup that Cryptowall could not access then you are OK, but apparently, Cryptowall often invades most backups (apparently a cloud backup service by the name of SpiderOak may be a successful barrier to the malware – you should do your own research).

While it is reasonably easy to remove the malware from your system using known tools, this does not affect the encrypted files. Removal of the malware still leaves your files encrypted and unavailable to you. Even the best internet security and anti-virus software suites have not stopped this malware from infecting their computers and systems. In spite of what these security suites may state on their websites, the malware has succeeded in attacking systems that were protected by Kaspersky, Microsoft Security Essentials, McAfee and others. Many security suites claim that they can remove the malware and, doubtless, many of them do. However, what they do not say is that removal of the malware does not de-encrypt the infected files. There is no reported reputable tool to break the encryption on the infected files.

The best way to deal with this malware is by taking preventive measures. Keep your operating system and software applications current and fully up to date. Do not allow peer-to-peer file sharing applications on your network. Disable autorun (eg: with respect to macros) on your Windows computers on network drives and USB ports. Be very careful about opening attachments to emails (note that email addresses, payments, invoices, photo-sharing etc. can be “spoofed,” and an email can easily appear to be from someone or some organization that you would normally trust) or other messages (including instant messaging). In some cases, the malware has been an executable file masquerading as a PDF attachment to an email.

If you have what appears to be a questionable email, do not click on it. Forward it to your IT support (or Computer Consultant) and ask that they open it in a “sandboxed” computer (ie: one that is isolated and can allow the email and attachment to be safely examined without infecting yours or anyone else’s system).

Note there has also been an increase in the spread of nasty macros similar to but not quite as nasty as Cryptowall (Adnel and Tarbir) circulated as noted above.