What is CryptoWall ransomware, and how can you prevent it?

What is CryptoWall ransomware?

Because of the several variants and newer versions of CryptoWall, security experts advise users to be on guard and take preventive measures to protect their systems or be prepared if the ransomware infects their computers.

How does CryptoWall operate?

CryptoWall infections work similarly to other ransomware, typically by spreading through spam and phishing emails, malicious ads, or anything containing a malicious link that can download CryptoWall to the victim’s computer. Some versions of CryptoWall can also use exploit kits to take advantage of security vulnerabilities in the Windows operating system, hacked websites, or other user applications to get inside computers.

Once inside, the infected computer communicates with a command and control server that sends an encryption key to infected systems. This starts CryptoWall’s encryption process by injecting new code into explorer.exe. This modified protocol then downloads malware, deletes your computer’s shadow volume copies, and starts a scvhost.exe process to download even more malware on your computer.

After CryptoWall encrypts your files, you’ll receive a ransom note asking for cryptocurrency payments to remove the malware from your system. Once the ransom payment has been sent, the attacker claims to unlock the encrypted files on your computer and deletes the ransomware from your infected computer.

Compared to most other types of ransomware attacks, CryptoWall is particularly difficult to deal with because it doesn’t stop at encrypting your files and demanding payment. It will actively integrate itself with your operating system (making it harder to remove), delete the volume shadow copies of your files (making file recovery difficult, if not impossible), and download malware that will search for stored passwords and/or cryptocurrencies in your system.

The evolution of CryptoWall ransomware

The first recorded attacks of CryptoWall were detected from around 2014 to 2015. It evolved from a different ransomware code called CryptoLocker, which was successfully detected in 2015. Attackers took the code and continued to refine it over the years, with every new version becoming better at evading security defenses and being more difficult to remove from infected systems.

Most security experts today believe that CryptoWall has become the ransomware of choice for many attackers since it does far more than just encrypt files. If the targeted victim has poor cybersecurity knowledge or is easily exploited, they may become ways for attackers to spread CryptoWall even further.

The different versions of CryptoWall

CryptoWall is one of the more persistent types of ransomware, and a significant reason why is that it’s continuously being upgraded to be better at infecting systems. Improvements include better ways to deliver its malicious payload to an end user, better communication with its command and control server, and increased aggressiveness in how it can spread.

As a result, there are now several versions of CryptoWall that can infect computers. Here’s a breakdown of their differences.

CryptoWall 2.0

The first version of CryptoWall used HTTP protocols to communicate with its command and control server, which meant it was vulnerable to research analysis. CryptoWall 2.0 stopped this method of network communication, which made it far more difficult for security companies to detect how it worked and figure out a counter once it made its way into a system.

This version also saw the first time CryptoWall could be delivered through malicious ads, which greatly increased its spread among end users. It also became far more effective at exploiting unpatched security vulnerabilities in computers, which made them an easy target for malware downloads.

CryptoWall 3.0

Cybercriminals refined CryptoWall 3.0 by having it use the I2P anonymity network to target users, making it even more difficult to detect and track. Not only would the command and control center use the TOR network to communicate with the infected computer, but it would give the attack another layer of privacy, which masked the identity of the attacker and made them more difficult to catch.

This version also saw the first attempts to “personalize” attacks depending on the end user. Notably, the ransom note was often sent in the language that the infected computer was using, which contributed to the lucrative returns attackers could gain from using this version.

CryptoWall 4.0

CryptoWall 4.0 upgraded its capability to evade detection from most antivirus and security software solutions and improved its encryption process to make it impossible to decrypt without the private key.

Version 4.0 also marks the first time that CryptoWall would target the user’s network drives to search for backup copies of data and destroy them. Combined with its capability to embed itself into the operating system and disable startup repair functionality, CryptoWall 4.0 would be one of the most devastating ransomware attacks a user could experience.

CryptoWall 5.0

The new version of CryptoWall uses code from another malware called HiddenTear, which is an open-source trojan detected as early as 2015. By using a different codebase, CryptoWall 5.0 now uses a different encryption type to lock files while also keeping all the communication improvements from previous versions.

Most security experts think that CryptoWall 5.0 could be an entirely new type of ransomware built with a new codebase, but just using the CryptoWall name. It and all the previous versions of CryptoWall only lend credence to the theory that newer versions of the ransomware will be released in the future, with each iteration getting more enhancements that will make it more difficult to deal with.

What impact does CryptoWall have on individuals and organizations?

Like any type of ransomware attack, a CryptoWall infection can have devastating consequences on individuals and organizations. Some of the impacts include:

Loss of data

If the user does not pay the ransom on time or the attacker decides to delete the encrypted files after being paid, data loss is one of the first consequences a successful CryptoWall infection may have. Given that the ransomware can not only encrypt your files but stay persistent on your computer even after booting it in safe mode or going through startup repair, you may face a huge loss in your data as long as the ransomware stays active on your system.

Because CryptoWall also deletes file backups, there will be no way to recover any file or data on your system if the attacker decides to simply delete it all. And even if you pay the ransom and CryptoWall is removed from your computer, there’s very little chance that previous versions of your data can still be salvaged from your system.

Data breach and privacy concerns

Ransomware like Cryptowall can be particularly damaging for businesses and organizations that handle user data because a successful attack can signal other criminal parties about the gaps in their cybersecurity. If any security gaps are left open even after resolving the initial ransomware attack, these businesses and organizations may be a more desirable target for other types of cyberattacks like a data breach, which will target sensitive and private information.

Such a data breach can cause significant losses for a business or organization because CryptoWall will affect not only their operational data but the data of their customers as well. This can cause prolonged service interruptions, potential leaks of confidential data to cybercriminals or to the general public if not properly secured, and a total loss of confidence in their data security capabilities.

Financial losses

If a user or an organization pays ransom, the financial losses from a CryptoWall infection can quickly increase. Depending on the size or significance of the data seized, users and businesses can see potential losses of a few thousand to millions of dollars.

Newer versions of CryptoWall are also far more sophisticated and can be personalized based on their targeted victim, which means that attackers have more leverage in deciding the terms of how the ransomware is removed from your computer. Even if you pay the ransom, the financial losses you incur may go far beyond the money you’ll be giving them due to the loss of time, access, and security with your compromised data.

How to prevent CryptoWall ransomware attacks

Despite the relative ubiquity of CryptoWall and ransomware attacks in general, there are some tried-and-tested solutions that you can use to prevent yourself from being infected. Some of these include:

Being conscious of email security

Ransomware and malware generally favor spreading through emails, since they’re one of the more trusted interactions by users online. Always be on the lookout for phishing emails, and never click links or download anything with suspicious file names over the internet. If you’ve received plenty of malicious emails lately, you may want to check if your email address has been compromised in another cyberattack and take the necessary steps to bolster its security.

Keep backups of your data

Since CryptoWall often goes after your system’s internal backups of your files, it’s best to always back up your data to an external storage unit like an external hard drive or cloud-based storage. This ensures that you will have a copy of your files if you fall victim to a ransomware attack, and you’ll be able to avoid paying the ransom entirely.

Integrate data encryption on multiple levels

Data encryption is one of the strongest protections against ransomware attacks. Since ransomware will only prevent you from accessing your data, data encryption – especially on your backups – is more likely to deter ransomware attackers from seeing or accessing your information. For the best possible results, implement data encryption on all the devices, networks, and endpoints you use for a more robust security approach.

Update your computer’s security protocols

Some versions of CryptoWall can exploit unpatched vulnerabilities in system software or applications, allowing them to infect your computer. By keeping your security software up to date and always downloading the latest security patches when they become available, you’ll be far less likely to fall victim to most malware and ransomware attacks.

Implement security solutions

Antivirus software and other similar security solutions can also help defend against CryptoWall and other potential malware and ransomware attacks. These security solutions must always be updated to keep pace with any latest version of CryptoWall that may be used to infect computers. They should be installed on all devices that face a high risk of attack because of the data they contain.

Should users just pay the ransom?

Given the difficulty that comes with removing ransomware like CryptoWall from an infected computer, you may ask yourself if it’s just less trouble to pay the ransom and have your encrypted files returned to you. However, most security experts advise against this for the following reasons:

1. There is no guarantee that the attacker will give you the encryption key needed to access your files after they’ve been paid.
2. Ransom payments only encourage attackers to keep up with the attacks in the future, potentially leaving you or your organization open to another attack.
3. There is also the risk that even after payment, cybercriminals may have installed software like keyloggers and other ways to access your systems after the ransomware has been removed.
4. Since most ransom payments are made in Bitcoin, it’s highly unlikely that you’ll be able to retrieve your money after it’s already been paid to them.

If you ever fall victim to CryptoWall (or any other ransomware), you must consider your data already lost unless you’ve taken steps to back it up on an external storage unit or taken other similar security precautions. Under no circumstances is it the best choice to pay the ransom for your infected computer – it simply encourages the attacker to mark you as a potential target for similar future attacks.

CryptoWall and ransomware attacks are preventable

Despite the damage they can cause, simply keeping a security strategy in mind and practicing safe browsing habits can be enough to keep you from the risk of being infected. By implementing the preventive measures discussed above, you can also leave yourself with options to recover if you do get infected by CryptoWall or any other ransomware.

Above all else, being aware of security risks like CryptoWall, ransomware, and other forms of malware can be the first step towards creating a better security strategy to deal with these risks in the long term. Proactively protecting your files and data is often the best solution to any cyberattack, not just ransomware.