July 2015 Newsletter
CryptoWall Malware is Back

By Mary Mays

Within the last month, we’ve seen an increase in CryptoWall 3.0 malware. CryptoWall 3.0 is a file-encrypting ransomware program that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When you are first infected with CryptoWall it will scan your computer for data files and "encrypt" them using RSA encryption so they are no longer able to be opened. Once the infection has encrypted the files on your computer drives it will open a Notepad window that contains instructions on how to access the CryptoWall Decryption Service where you can pay a ransom to purchase a decryption program. The ransom cost starts at $500 USD and after 7 days goes up to $1,000. This ransom must be paid in Bitcoins and sent to a Bitcoin address that changes per infected user. 

Following are signs of infection by the CryptoWall file-encrypting ransomware trojan program (or similar, related or copycat program) that targets Windows operating system machines:

•  All modules, tasks, and/or buttons are missing in the Sage 100 ERP Desktop 

•  Tab and Enter keys do not work in task windows

•  Tab key will act as the Enter key when logging in or navigating tasks and panels 

•  "Error #2: End-of-file on read or file full on write" when attempting to access Sage 100 ERP Advanced 

•  Various files such as Microsoft Office Word or Excel or Portable Document Format *.PDF or text *.TXT files are also encrypted and cannot be opened. This includes text files that Sage 100 ERP uses to display available modules, tasks, and toolbar buttons - and is the first sign users get that there is something wrong. Attempts to open these files may show that they contain random characters instead of legible text. 

CryptoWall is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files and can also appear to be Word docs. These PDF files pretend to be resumes, invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will infect your computer with the CryptoWall infection and install malware files. Once infected, the installer starts to scan all of your computer's drives, including removable drives, network shares and even DropBox mappings, for data files that it will encrypt. 

When the infection has finished scanning your computer it will also delete all of the Shadow Volume Copies that are on the affected computer. It does this because you can potentially use shadow volume copies to restore your encrypted files. Now that your computer's data has been fully encrypted, it will display the DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML files that were created on your Desktop. These files contain information about what has happened to your data and instructions on how to pay the ransom. In most cases, once CryptoWall launches this document it will remove the infection files from your computer as they are no longer necessary.

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom on the CryptoWall Decryption Service. Brute forcing the decryption key is not realistic due to the length of time required to break an RSA encryption key. Also, any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if you’re lucky from Shadow Volume Copies. For Sage 100, paperless documents, parts of the workstation installation, log files, txt files and jpg files can be encrypted, while the actual Sage data files have not been encrypted. We still have to replace the encrypted files from a backup.

Make sure you have a solid backup strategy and that you are verifying it every day. As a proactive service to our clients, our IT staff has been reviewing all of our client’s backups. We have been making calls to be sure that someone on your staff is aware of the backup procedure and is getting notifications for completions and/or failures.

Compiled from bleepingcomputer.com