RansomWare 2014 Important Information

November 5, 2014

Back in 2010 we told you about a type of infection known as ransomware. That name is a play on words combining ransom with Malware (generic term for malicious software like viruses, adware, etc.). In the early days of ransomware, they would hold your computer hostage and it was a fairly simple task for us to get rid of the ransomware and return things to normal.

Recently, however, ransomware got MUCH WORSE. There’s a new criminal in town and its name is CryptoWall. CryptoWall stays quiet and hidden silently encrypting all of your files in the background. You don’t know you have the infection until after it has finished encrypting all of your files. At that point, it pops up and tells you if you want your files back, you’ll have to pay the ransom. Previous versions of RansomWare encrypted files too, but they made two mistakes. One was showing themselves before all of the files were encrypted and the other mistake was the method they used to encrypt the files made it possible for us to retrieve, at least some, if not all of the files.

CryptoWall doesn’t suffer from those problems. What’s worse is the way CryptoWall is being spread. It’s coming in through advertisements. It’s coming in through email and phishing scams. Its creators have been very aggressive in spreading it. CryptoWall has taken down Police Departments, City Offices, Law Firms, and even knocked a TV station off the air.

With CryptoWall, the ransom starts at $500. You have 24 hours to pay that ransom. If you don’t pay it, then the ransom goes up to $1000 and you have another 24 hours to pay that. If you don’t pay it, the ransom goes up to $1500 and you have yet another 24 hours to pay it. If you don’t, the decryption key is destroyed and there is no way to decrypt your files. Further complicating things is the fact that you can only pay the ransom with bitcoins, which most people don’t have.

Most people think that they can call us and we can get their files back, but that’s not true. When files are encrypted the way CryptoWall does, there are only two ways to get your files back. The best way is to restore them from backup. The only other way is by using a key (password) to decrypt them or restoring them from a backup. And the only way to get that password is to pay the ransom. We don’t recommend paying the ransom to these thieves. It’s kind of like the policy of not negociating with terrorists. But if you don’t have a backup and you have to have your files, your only option is to go ahead and pay the ransom.

We have had a couple of customers lose all of their files because they got hit with this infection and did not have a backup and didn’t want to pay the ransom.

As I am sure you have gathered, the moral of the story is to make sure you have a backup. But not just any backup will protect you against CryptoWall. Here’s why. Let’s say your files are all backed up. Now CryptoWall comes along and encrypts them. If your backup runs after that, it will think your files have been updated and will back them up again. But now it’s backing up the encrypted files. So if you restore the backup, you just get useless encrypted files back. That’s why your backup strategy should keep old versions of the same file.

Our recommend backup solutions Carbonite (www.carbonite.com) for personal use and CrashPlan (www.code42.com) for businesses both handle this situation just fine since they have the ability to restore older versions of the same file.

In addition to having a backup, you should also have the following:

  1. One of our recommended security applications. Keep it up-to-date and don’t let it expire.
    For more information, click here.
  2. Web of Trust (WOT).
    This is a browser add-on that helps keep you from going to infected websites. It puts colored circles next to search results. Green means safe, yellow means caution, read means danger. If you click on one with a red circle, it won’t stop you but just asks if you are sure you want to do that. To install, go to www.mywot.com. You’ll have to install it in each browser you use.
  3. AdBlock Plus
    This browser add-on blocks banner advertisements in websites. For more information, click here.

And lastly, be careful! Don’t click on links in an email you received. Don’t open an attachment in an email unless you are absolutely sure it’s safe. Be careful what websites you go to. If a website wants to install something, don’t do it. If a window pops up, don’t just click OK. Read it and if it doesn’t seem right, don’t click OK.

If you would like to sign up for Carbonite or CrashPlan, please contact us and we’ll take care of that for you.

How do you know if you have CryptoWall on your computer? You probably won’t know until all of your files are encrypted. Keep on the lookout for a file called DECRYPT_INSTRUCTION. If you see that, shut your computer off and call us. Once CryptoWall had encrypted all of your files, it will display a ransom note that looks like this:


If you think your computer has CryptoWall, contact us for help.

Leave a Reply

You must be logged in to post a comment.