What is CryptoWall?

CryptoWall is a new type of Trojan Virus, designed as a copycat of another infection called CryptoLocker. These infections are a new breed of malware called Ransomware. The concept is that the infection will lock up and encrypt information and files that are critically important to you, preventing access to your data, and then try to hold your own data hostage until a ransom is paid. Cryptowall can be obtained via links or attachments in an email or a webpage, even one that looks like it came from someone that you know.  Once started, CryptoWall will automatically start encrypting all files on all drives that you have access to in alphabetical order.  Once the files are encrypted they cannot be decrypted without paying ransom to the creator of the Trojan.  This leaves you with only two options; pay the ransom or restore your files from backup.

Why did my Virus Scanner, SPAM Filter, or other security software not stop CryptoWall?

CryptoWall is what is known as a 0-day exploit.  It is so new that the security software you are running doesn’t know about it and therefore won’t block it.  Updates for all security software will be released that will prevent this Trojan from entering your environment, but until those updates are released, everybody is vulnerable.

Is there anything that can be done to protect me from a 0-day exploit?

Yes there are two things that can be done. The first is the education of all computer users. If something feels odd about an email or a website users should be encouraged to get it checked out. Secondly, these exploits are basically software, a program of some sort.  If you block all software/programs from coming into your environment, then you would be protected.  This would mean blocking all attachments in email and blocking the downloading of software via the Internet.  The business impact to your organization may be minimal or may be significant.  It varies from organization to organization.  AbleIT could assist your organization with an assessment that would determine the impact to your business with such solution and possible less drastic variants.

How can I tell what’s been encrypted?

CryptoWall nicely tells us this.  For every directory of files that has been encrypted, CryptoWall places 3 files in that directory:


What should I do first when I discover I have CryptoWall?

The first thing you need to do is stop the encryption.  The easiest way to do this is to shut down all client devices or sever the connection between the servers and the clients.  If you have a terminal server you will want to split that off your network as well.  At that point you can assess the damage and come up with a recovery plan. Call your IT support provider immediately and advise them of what has occurred. Time is of the essence to minimize impact and the cost of recovery.

How can I tell which machines on my network have CryptoWall?

The above “DECRYPT_INSTRUCTION” files will exist on the local workstation(s) that are infected as well as any servers that mapped drives are pointing to.  If you have an infected server, you can look at who owns the “DECRYPT_INSTRUCTION” files to identify the user that has CryptoWall on the workstation they are using.

How can I get my data back?

The obvious way is to pay the ransom.  In this case it is US$500 or €500.  You need to use a special internet browser called  TOR to arrange payment and payment must be made in BitCoins.  This makes tracing the culprit almost impossible.

The problem is even if you pay the ransom there is no guarantee you will get your data back.  Also paying the ransom encourages this sort of behaviour, and there will be more ransomware in the future.  Not paying the ransom is the best way to discourage this type of activity.  It is highly recommended NOT to pay the ransom.

Your other option is to look at the “DECRYPT_INSTRUCTION” files and find the one with the earliest creation date.  That will be the point in time which CryptoWall started.  You would then need to recover the files that have been encrypted from your last good backup that was completed before the date CryptoWall started encrypting files.