Cryptowall Ransomware: What You Need to Know

Cryptowall is “ransomware” — malicious software that takes your data hostage in return for payment. Here are tips to avoid being infected with Cryptowall.

30 June 2014


What is Cryptowall?

Cryptowall is “ransomware” — malicious software that takes the data on your computer hostage. It then demands that a financial payment be made (a ransom) in order to regain access to the lost files. Once in place, Cryptowall encrypts a wide variety of file types on victims' computers before asking that a ransom be paid within a specified time period.

What type(s) of computer does Cryptowall target?

Cryptowall targets computers running Microsoft Windows. Macs are not affected.

How is Cryptowall spread?

Firstly, Cryptowall can be spread via malicious email campaigns. As Intralinks reported earlier this week, hackers have spammed out messages claiming to be an "Incoming Fax Report," which leads users to a Dropbox URL containing malware.


Source: PhishMe

Of course, the email doesn't have to claim to be a fax report. It could just as easily claim to be a failed DHL delivery, or a bogus notification of a credit card purchase you never made. Aside from this, however, Cryptowall has also successfully infected many users' computers through the use of malvertising, or poisoned Web advertisements.

Rather than infecting websites belonging to the likes of The Guardian, Disney and Facebook, the attackers target the third-party advertisements displayed on such sites to millions of users every day. Earlier this month, security researchers publicized how advertisements on some high-profile websites were leading users to third-party webpages poisoned by the hackers.

These third-party webpages would run the Rig exploit kit on visiting computers, determining if the PC was running an exploitable version of Flash, Java or Silverlight. It then would take advantage of any flaws to sneakily install malware onto innocent users' computers. In some cases, users might be duped by social engineering, which tricks them into believing they are installing a video plugin or an Adobe Flash update.

Will I see anything on my screen to tell me I've been hit by Cryptowall?

Only when it's too late. After your files have been encrypted, Cryptowall tells you that you need to pay up.

Is Cryptowall lying when it says I can't decrypt my files without paying?

I'm afraid not. You need the right key to decrypt your files, and the hackers behind Cryptowall aren't going to give it to you unless you pay up. Your only option is to pay or to restore your files from a clean, uninfected backup.

So I guess lots of people pay the ransom?

Not everyone, no.

For instance, earlier this month the town of Durham, N.H., went public about its police computers being hit by Cryptowall, where it caused "widespread issues." Although the outbreak on Durham's police computer systems has caused disruption, the town plans to recover as much as possible from backups. "Make no mistake, the town of Durham will be paying no ransom," commented Town Manager Todd Selig.

Good for them.

Should you or shouldn't you pay the ransom? 

There are many who don't like the idea of ransomware victims caving in to the demands of extortionists. They argue that it is only encouraging criminals to attack again and again, and there is clearly no guarantee that they will not target you again in the future — perhaps demanding even more money on the next occasion.

You should also ask yourself, if every affected company pays a ransom, isn't that just encouraging more hackers to launch copycat ransomware attacks?

Ultimately it's your decision — but remember there is no guarantee that if you do pay that it will be the last you hear from the hackers.

Make sure you seek legal advice before making a definite decision on this one.

How can I avoid being infected?

Here are my tips to avoid having your computer infected with Cryptowall, or any other ransomware:

  • Protect your computer and reduce the chances of becoming infected by running up-to-date antivirus software and installing security patches. Reduce your surface of attack by removing the likes of Java and Silverlight from your browser if you have no use for them. Additionally, be more cautious about the emails you open and consider running an ad blocker in your browser.

  • Consider setting a software restriction policy on your Windows PCs that prevents executables running from certain locations on your hard drive.

  • Make backups of your important data and keep them separate from your computer (to prevent malware like Cryptowall from encrypting your backups as well). That way, if the worst does happen, you should be able to restore your valuable data and not be forced to pay the crooks.

Is Cryptowall the same thing as CryptoLocker?

CryptoLocker is perhaps the most notorious piece of ransomware, but Cryptowall is catching up fast. At a high level they do the same thing, but there are some differences. Consider Cryptowall as the latest imitator of CryptoLocker infamy and — sadly — there are likely to be more to come...

Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.