Rate Thread
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to Prevent Damage from CryptoWall 3.0
#1
CryptoWall isn't really anything new but for those of you who are not familar with the virus I'll summarize what it does.

Someone clicks on a link that downloads the virus and the user is tricked into running it. Once the virus is on the computer it encrypts the contents of your hard drives and network drives...this includes flash drives and anything of that sort. If it has a drive letter it's fair game for the virus. The virus also adds files named "DECRYPT INSTTRUCTION.TXT." Then the user is shown pop-ups requesting they send $500 to decrypt their data and if they don't do so in a certain time frame the price goes up.

The encryption is very strong, RSA 2048-bit, so unless you have a CRAY supercomputer you're not going to crack the encryption. So there are other means which I will discuss.

First, and most obvious. Make sure you have a backup of all your important data. Music and movies are one thing but family pictures and financial data not so much the case. Having backups is a good and normal thing to do. But in case you don't have a backup there are a few things you can do if you were to get hit by the virus.

Ever since Windows Vista, Microsoft has included VSS or Volume Shadow Copy which takes snapshots of your files. This shows up as "Previous Versions" which you right-click a folder, you can restore files from here. However, let me tell you that authors of the virus know about Volume Shadow copy and will attempt to disable and delete all the assoicated data. So if you get this virus you must shut down the computer, scan the disk to remove the virus. If your Volume Shadow Service gets disabled and you don't have any kind of backup its pretty much game over.

The first thing you need to do is start Windows in Safe Mode and click Start > Run.. and type %AppData% or %LocalAppData% and look for randomly named files and folders, something named along the lines of "6abgq65abcf443" It is also highly recommended to run other malware scans, things like Malwarebytes, Super Anti-Spyware and so fourth, most of those will do fine at detecting and removing the virus.

Once you have either deleted the folders or ran scans to delete the virus reboot the computer normally and attempt to restore the previous versions of the files that were encrypted. If you see nothing in Previous Versions then it is likely that the virus was successful at disabling VSS. If you do, restore the files, overwriting the encrypted versions.


So here's some advice on how to prevent CryptoWall from either getting on your PC or at least keep it from destroying your data.

Use "Standard" or Limited accounts on Windows. If you use Standard accounts they lack the rights to execute certain programs and disable certain services without authorization. You can create a separate Administrator account to use to install software, updates and etc. Using a standard account doesn't effect normal usage.

Don't use network drives. Network shares are fine, just don't give them a drive letter. You can access network shares using UNC paths such as \\server\myshares instead of Z: and so on. Most programs are perfectly fine using UNC paths to access files. Currently CryptoWall doesn't spread over the network and only looks for drive letters.

If you're a system administrator, make use of Read-Only files where possible. CryptoWall can't make changes to Read-Only files.

Change your browsing habits. Not saying you were looking up porn but searching for free movies and getting off the beaten path can land you a virus. In my experience if the user wasn't into a bunch of porn they lacked good habits with searching the internet and going to bogus websites. It isn't always easy to identify fake websites or websites that might contain viruses, but watch your address bar, make sure you're on the site you want to be on.

The defense is limited but can be very effective when done correctly. Folks these days even Macs and Linux have ransomware and viruses. The only way to be safe is to make backups and learn better habits. If you run a business and want to look at porn at the end of the day, use a different computer, if the porno computer gets a virus no big deal.
"I’m not expecting to grow flowers in a desert, but I can live and breathe and see the sun in wintertime"
Check out my stuff!
Reply



Forum Jump:


Recently Browsing
1 Guest(s)

© 2002-2024 GaySpeak.com