Trojan Cryptowall-The most harmful Malcode, precautions, actions and removal-Cryptowall is a Trojan horse, not identical to ransomware but behaves in the same way. It is a file-encrypting ransomware program which was first released around the end of April 2014. Trojan CryptoWall targets all versions of Windows(Windows XP, Windows Vista, Windows 7, and Windows 8). In addition to windows, it also targets tablets and smartphones. The media is commonly confusing CryptoWall with the CryptoLocker infection. In fact it is more similar to the CryptoDefense ransomware. The most apparent similarity being that CryptoWall's Decryption Service is almost identical to the one for CryptoDefense. Get more details at symentec here Cryptowall symentech
Trojan Cryptowall-The most harmful Malcode, |
Soon after your computer being infected the Trojan CryptoWall will perform a thorough scan of your computer make copies of all data files "encrypt" the copies of the files using RSA encryption and delete the originals hence they will no longer be opened. After has encrypting the files on your computer it will open a Notepad window containing the instructions, how to access the CryptoWall Decryption Service and pay the ransom to purchase a CryptoWall decryption tool. The ransom costs any thing between $500 to $1500. It will go up by 1.5 times if you do not pay within 5 days and it goes to the maximum($1500) if you do not pay within next 24 hours. The payment destination is a Bitcoin address which keeps on changing per infected user and need to be paid in an Ecurrency. Bitcoins.
How Trojan Cryptowall comes to your Computer.
1. CryptoWall is distributed via emails with ZIP attachments. These attachments contain executables files which are disguised as PDF files and pretend to be invoices, purchase orders, bills, complaints, or other documents related to some business.
2. When you double-click the fake PDF, it instead opening will will execute automatically and infect your computer with the Trojan CryptoWall.
3. It will install malware files either in the %AppData% or %Temp% folders.
4. Once infected the installer will start to scan your computer's drives for data encrypt them all.
5. When the infection will scan all your drives not only on your hard disk but all including removable stirage, network shares, or even DropBox mappings.
How does Trojan Cryptowall work
(1) You will not be able to access some of your documents, photos, videos and other files.
(2) The Trojan Cryptowall encrypts the files of the infected PC.
(3) After encryption the user will receive a message that your files have been encrypted and you have to pay the ransom (Any amount between 500$ to 1000$) if he wants to get them back.
(4) Your files may not be restored even if you pay the ransom.
(5) For making the payments you will be asked to download a browser developed by the criminals specially for this purpose called Tor that helps the cyber criminals stay anonymous.
(6) The money can be paid in an online currency Bitcoins which is in use by the cyber criminals and thus they stay untraceable.
(7) By making the payments you will get nothing except wasting your hard earned money and may disclose your sensitive information which may lead to even more financial losses.
Precautions against Trojan CryptoWall
(1) Always keep a backup of your data and files.
(2) Never click an attachment to an email received from an unknown source.
(3) Never click a in an email received from an unknown source.
(4) Never open a suspicious email.
(5) Always keep your data and files saved on a network drive.
(6) If data files on network shares are not mapped as a drive letter, then CryptoWall will not encrypt any files on a network share. secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoWall.
(7) You can create a Software Restriction Policies using Windows Group or Local Policy Editor to create Software Restriction Policies to block executable files from running. For more information on how to configure Software Restriction Policies, please click here to see related articles from Micro Soft.
Possible ways to restore files and data encrypted by Trojan CryptoWall
First of all you should uninstall Cryptowall from your system before you decrypt your files with the help of a reliable antvirus software, otherwise the infection Cryptowall will encrypt them again. If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.
(1) Restore the recent Backup-If you have been performing backups, the first and foremost way is to restore your data from a recent backup.
(2) Restoring files if You don’t have a backup-If you do not have a backup, you can try to locate the RSA key. The RSA key may be stored on your system as a .cert, .crt or.pfx file. You should search for these files on your computer.
- You can try this-
- Go to Control Panel
- Click User Accounts and Family Safety
- Click User Accounts
- Click Manage your file encryption certificates
- Click Next
- Check Use this certificate and pick the certificate
- Select certificate and then Next
- Click backup the certificate and key later
- Select Next
- Click All logical drives, click Next.
(3) Use a File Recovery Software-CryptoWall first copies a file, encrypts the copy and then deletes the original file. Thus there are chances to regain the data using file recovery software. It is important to note that the more you use your computer the encryption the more difficult it will be for file recovery programs to recover the deleted un-encrypted files as some of them may be over written.
(4) Recovering Shadow Volume Copies-Unfortunately CryptoWall always attempts to delete any Shadow Volume Copies on your computer but sometimes it fails to do so and if you are lucky you can use them to restore your files.
Unfortunately removal of Trojan CryptoWall manually seems to be impossible therefore you have to remove it with the help of a reliable antivirus/antimalware only.
If you want to read more about Keystroke logging, Keylogging –How it Works, How to Detect it and Safety Measures please click this link.
If you want to read more about Malcode-Malware, Worms, Spyware, Virus, Trojans, Bots, Backdoors please click this link.
If you want to read more about Adware-The Potentially unwanted application (PUA) or Potentially unwanted program (PUP) please click this link.
If you want to read more about Dangerous Virus Slick Savings-Causes, Symptoms Removal Procedure please click this link.
No comments:
Post a Comment