Archive | December 4, 2015

Security: CryptoWall 4.0

Cryptolocker began circulating in 2013, with variants coming soon after. Designed to infect, encrypt and then ransom it has been shockingly effective. The typical infection vector of attack is phishing because the average user has proven to be susceptible to this type of attack.

These attacks begin with a zip file email attachment. Inside the zip is what appears to the user as a PDF/doc/text attachment, but this is actually the initial dropper. Once launched, this will silently drop an executable in a random temp or appdata. This will be what communicates to the command and control sever – which will then take information about your PC that’s already been gathered and then based on that info, drop the appropriate ransomware, pre-built for your PC environment.

The most significant change in CryptoWall 4.0 is that it now also encrypts the filenames of the encrypted files.  Each file will have its name changed to a unique encrypted. The filenames are  encrypted to make it more difficult to know what files need to be recovered.

We cannot stress enough how important managing email attachments is. At this point in time we recommend all clients regardless of size ensure there is more than a simple email policy in-place, that they have an active software based solution scanning their messages and limiting the exposure to mail based attacks.