Blog / IMPORTANT: Crypto-Wall
– The virus can be also found on some websites and can infect a computer when a page is opened or an advanced service is selected (ie: opening a page that requires a plug-in – or downloading a file).
– Once activated, CW searches for data files (Word, Excel, PowerPoint, among others) on the local computer AND the server. It then encrypts the files; you cannot open encrypted files without a password. The popup message displayed when you try to open a file asks for a ransom to be paid before the password is given. DO NOT ATTEMPT TO PAY THE RANSOM, as it is per-file and there is no guarantee that CW will not encrypt the file again.
– The ONLY way to get rid of the virus is to:
- Re-format the infected computer and perform a fresh installation of the O/S, programs and CLEAN data files (from backup). In selected cases, advanced anti-virus software can remove the virus, but the most secure method is the re-format the computer drive.
- Restore infected server data files from a known CLEAN backup.
– What to do:
- If you suspect that the computer is infected, IMMEDIATELY TURN IT OFF AND DISCONNECT IT FROM THE NETWORK. If you do not know which computer is infected on the network, TURN THEM ALL OFF.
- IMMEDIATELY disable the next scheduled server backup to prevent a good backup from being overwritten by an infected backup. Remove any backup media from the server backup system
- Call your IT Support Provider for detailed procedures on how to recover from the CW infection.
– How to reduce your risk of becoming infected:
- To date, CW always comes as an attachment. Thus do NOT open ANY Email or downloaded website attachment from someone (or some website) you do not know or trust.
- Insure that your Anti-Virus software is up to date on all computers. Many AV programs do not catch CW, but this is good general protection.
- Do NOT check personal or other Email accounts from your Outlook or web browser of a computer attached to a network. Currently, the Trinus Email filter blocks ZIP file attachments. Thus, if Trinus is providing Email Gateway services (most municipalities and corporations) – and Email is checked through the normal settings in Outlook, CW ZIP files will be blocked. However, if users check other Email accounts (ie: personal or non-filtered webmail like Hotmail, Gmail, or Yahoo), CW ZIP files are NOT blocked or filtered.
- Install and configure a firewall with advanced dynamic content filtering to block malicious websites.
- Turn off computers that are not in use – especially after work hours.
- Limit permissions on server files by users and groups. CW can only encrypt files that it has access to through the infected computer’s user account.
- Reduce the use of mapped network drives (ie: Drive “S” on your local computer points to a shared network folder). CW makes extensive use of mapped drives to locate server data files.
- Limit the users who have access to the local computer or network (server) administrator account.
- Only use the server administrator account for server tasks that require it – and then log off that account.
- It is possible to implement more restrictive procedures on each computer, server, or network – such as real-time scanning of all files opened, modified or accessed – regardless of source. Or, blocking ALL file attachments at the local computer level. These may not be practical as they impose a severe performance penalty on day-to-day work, or make it difficult to perform common tasks.
- An article with more information can be found here: http://www.bitdefender.com/support/how-to-protect-from-cryptowall-1354.html.
– How to increase your chances of having a full recovery from CW:
- Insure you have SOLID – RELIABLE – TESTED full backups of all of your important data (both server and local computer files). Correct any errors in backup routines immediately and rerun the backup.
- IMMEDIATELY remove backup media from the server or computer when a backup is complete. Rotating different media for different time periods (ie: daily, weekly, or monthly) increases the chances that at least one of the backups is “clean”.
– What the future holds:
- It is VERY likely that the developers of CW viruses will be changing its behavior to circumvent some of these preventative procedures; the current type of CW is “version 3.0”. For example, changing the file type to “doc” would circumvent ZIP file filters and make it more difficult to trap. They may also circumvent the current limitation of accessing only mapped drives, or files the current user has permission to.
Contact Trinus is you have any questions or concerns. 780-968-1333. Or immediately if you think you are infected with the Crypto-Wall virus.