Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The State of CryptoWall in 2018

CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. Learn more about the state of CryptoWall in 2018, today! 
Michael Buckbee
5 min read
Published June 1, 2018
Last updated May 9, 2022

CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. In fact, according to the 2018 Verizon Data Breach Investigation Report, ransomware incidents now make up about 40% of all reported malware incidents! Some reports say CryptoWall 3.0 has caused over 325 million dollars in damages since it first came on the scene.

CryptoWall first appeared in the wild around 2014: since then, cybercriminals have updated and iterated on it several times to make it even harder to detect and remove.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back. (Tl;dr: Don’t.) It’s important to maintain constant vigilance to protect data from the CryptoWall virus and all its variants – along with all types of cyberattacks.

What is CryptoWall?

CryptoWall is a particularly nasty form of ransomware. It does much more than just encrypt your files and prompt you to pay for the key: it tries to hide inside the OS and adds itself to the Startup folder. Worse still, CryptoWall deletes volume shadow copies of your files – making it difficult (or in some cases impossible) to restore your data. And while it’s there, it’ll try to get your passwords and Bitcoin wallets for good measure.

CryptoWall 3.0 is by far the most lucrative version so far. It uses strong RSA-2048 encryption to lock your files and try to get you to pay the ransom.

CryptoWall v4 introduced a new feature to encrypt both the files and the filenames, meaning that you can’t simply look at the filename to check (and restore) if you have a backup. The ransom notes got a lot sassier as well, just to pour salt on the wound of your encrypted data.

CryptoWall v5.1 is the latest version based on the HiddenTear malware. It uses a different AES-256 encryption, which doesn’t follow with the previous versions. It’s possible that the developers used the CryptoWall name, but not any of the original code.

There are several variants of CryptoWall: CryptoDefense is one of those variants, for example. For the most part, you can treat them similarly.

tips to prevent ransomware attacks

How CryptoWall Works

There are several different methods to spread CyptoWall and infect devices:

  • Phishing Email: CryptoWall is most often triggered by the end user via a phishing email. Phishing emails try to trick users into clicking a link which downloads malware onto their computer.
  • Exploit Kits: The next most common attack vector is as part of an exploit kit, which take advantage of security vulnerabilities to deploy malware needed to execute the attack. Known vulnerabilities can be in the operating system, in applications you use, or in websites you visit, like WordPress.
  • Malicious Ads: Cybercriminals purchase or hack internet advertisements to deliver malware to you through your browser. Hacked ads often try to run javascript in your browser to download the malware without you noticing.

NOTE: Code injection is a common hacking technique, and it does not always have to take advantage of a bug or be malicious.

Once it’s on your computer, CryptoWall injects new code into explorer.exe (based on the version of Windows installed) and restarts explorer.exe. This special version of explorer.exe installs malware, deletes the volume shadow copies, disables windows services, and spawns a new svchost.exe process with more injected modules.

If, for some reason, it fails to inject code into explorer.exe, CryptoWall will use svchost.exe to spawn a new explorer.exe it can inject the code into. This instance of svchost.exe is also responsible for network communication to home base, file encryption, and removing the malware once it’s finished.

CryptoWall installs itself into the registry and your startup folder: restarting won’t clear things up – if you don’t remove all of the CryptoWall software while you are in Safe Mode, it will start right back up when you log in again.

CryptoWall needs to communicate with a Command and Control server(C&C) to continue the ransomware attack. The C&C sends CryptoWall the encryption key that it will use to encrypt your files. CryptoWall then runs through all of your files, both locally and on any connected networks, and encrypts your most personal data, for example, your documents, presentations, code, music files, and pictures, music files, and pictures.

The encryption locks the contents of your files, and the only way to get them back is with the encryption key.

filetypes vulnerable to cryptowall encryption

What CryptoWall Tells You to do

Once the encryption is complete, you’ll get a ransom note with instructions on how to make payment: often about $1000 worth of Bitcoin. After the ransom note is issued, the malware deletes itself.

The attackers might offer to decrypt a file or two for free to demonstrate good faith: don’t fall for it. There is no guarantee that you will get your files back: only 19% of users that pay the ransom get their files back.

How to Protect Against CryptoWall?

It’s unlikely that you’ll get your files back: in this case (and most ransomware cases), prevention is better than a cure.

Tips to prevent (or disarm) potential ransomware attacks:

  • Keep your computer patched and up to date
    • Malware uses known vulnerabilities in software to move to new computers. If you leave those vulnerabilities unpatched, you’re effectively leaving an open door for the cybercriminals to enter. If you keep the OS and all of your applications patched to the latest releases, you stand a better chance of avoiding malware infections.
  • Use an anti-virus scanner
    • Anti-virus solutions, when updated regularly, can protect you from several kinds of malware attacks. They quarantine known malware programs and prevent them from executing
  • Use a firewall
    • A local firewall can protect you from some connections that malware uses, like to the Command and Control server. The CryptoWall ransomware, in particular, depends on a connection to home base to continue the attack. A local firewall may be able to prevent the malware from making that connection and killing the attack.
  • Don’t click the links
    • Don’t click links or download files from suspicious emails. If you click a malicious link or download a malicious file, you’re inviting the cybercriminal and their malware into your home.
  • Practice safe browsing habits
    • Make sure your browser is up to date, use the most encryption you can, and turn off ads and JavaScript by default. Be selective in what ads you allow to run – and make sure those are from trusted sources
  • Back up your files
    • Always keep a backup copy of your files. It works for a hard drive failure or for ransomware. There are plenty of online cloud storage options of varying security levels and cost. You can also setup a local SAN or USB hard drive to back up your important files.

If CryptoWall slips past your defenses and infects your computer, remove CryptoWall before you use your computer again:

  1. Boot your computer into Safe Mode with Networking
  2. If you have a recent and clean System Restore point, you can restore, if not:
  3. Download and install a malware removal application.
  4. Run malware removal app and scan all of your files

If you’re planning an enterprise-wide security strategy to protect against ransomware attacks, there are a few other items to consider on top of the end user items above.

Maintain a least privilege model: When you maintain a least privilege model, users only have access to the files absolutely necessary to do their job – and if hit by CryptoWall, the ransomware can only encrypt those files. By enforcing a least privilege model, you’re limiting the scope of the ransomware attack by a lot. And with a good backup plan, it’s a simple recovery process.

Leverage security analytics to protect your files from ransomware: Varonis monitors your enterprise data stores, mailboxes, proxies, DNS, and VPNs – with threat models specifically designed to catch ransomware attacks in progress.

A ransomware attack can be devastating to an organization: lost productivity, potentially leaked, stolen, or lost data, recovery fees and resources, and more. Get a custom demo to see how we can protect your valuable data and help stop CryptoWall infections.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-cryptojacking?-prevention-and-detection-tips
What Is Cryptojacking? Prevention and Detection Tips
Learn how cryptocurrency, cryptomining and cryptojacking work — also included are tips to prevent and detect cryptojacking before it's too late
the-definitive-guide-to-cryptographic-hash-functions-(part-ii)
The Definitive Guide to Cryptographic Hash Functions (Part II)
Last time I talked about how cryptographic hash functions are used to scramble passwords.  I also stressed why it is extremely important to not be able to take a hash...
cryptolocker:-everything-you-need-to-know
CryptoLocker: Everything You Need to Know
CryptoLocker is a type of malware that encrypts files, holding them for ransom. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”
windows-10’s-security-reboot,-part-iii:-fido-and-beyond
Windows 10’s Security Reboot, Part III: FIDO and Beyond
FIDO’s Universal Two Factor (U2F) is intended to make it easy for companies to add a strong second factor to their existing crypto infrastructure. Most of us are probably not...