Ransomware Explored: CryptoLocker/CryptoWall

Ransomware Explored: CryptoLocker/CryptoWall

Perhaps one of the most frustrating malware infections found today is file encryption ransomware. The two notable ones are CryptoLocker and CryptoWall. These are classified as malware; they are not technically viruses. Ransomware often infect a computer by being downloaded in a seemingly harmless file. They then encrypt one’s personal data and demand payment in exchange for a decryption key that is stored on a remote server. There is deadline by which payment must be received before the key is deleted; after which, access to the encrypted data is impossible.

Initially it is important to have a basic understanding how one is infected and how ransomware works. Both CryptoLocker and CryptoWall need to be downloaded, and are most commonly received as email attachments; although, they can also be downloaded from websites. These websites are often advertising or media sharing sites. To be infected the file need only be downloaded; it does not need to be opened. The infected files in email attachments often appear as zipped files, but these too need only be downloaded. Once downloaded, the malware uses an asymmetrical algorithm design to generate encryption keys. This means there two keys. One is called the public key which is used to encrypt files, and the other is called the private key which is used to decrypt files. The private key is stored on a remote server controlled by the attacker. It is notable that CryptoLocker and CryptoWall do not lock users out of their computers, as is the case with many other kinds of ransomware. They only encrypt data files.

The Crypto ransomwares usually have a list of file types that it searches for to encrypt. These are primarily different formats of image and text files. Depending on the malware sometimes music is encrypted, and a new version of CryptoWall targets game files. Both CryptoLocker and CryptoWall are aggressive and can infect baked up files on external hard drives and network devices when they are connected to the infected computer and turned on. Some ransomware also sends itself to other people via email from the originally infected computer. When access to an encrypted file is attempted by the owner, a message will be given informing the customer that they need to pay a specific amount of money within a certain period of time to get the private key and gives instructions on how to make payment. Typically 72 hours is the period of time given, but in some cases it will give the owner a few weeks and the cost will rise every week. Both CryptoLocker and CryptoWall usually display a countdown timer with the message. The amount of money asked for is usually around $300 to $500. In certain cases, people have been charged up to around $1000. Some versions of ransomware, especially in the case of CryptoWall, ask for payment in bitcoin. Bitcoin is an unregulated digital currency that can be mined (process of creating new bitcoins) and can be used in certain transactions and exchanged for other currency. Sometimes payment is required through cash card or prepaid credit card because such cards are untraceable. When the specified period of time passes and if payment has not been made, the private key is deleted from the remote server and the owner can never access their files again.

Although very similar, there are some small differences between CryptoLocker and CryptoWall. It is important to note that CryptoLocker is older than its counterpart and is currently rarer. An international, joint law enforcement operation shut down the majority of servers that were being utilized to distribute CryptoLocker when they took out the Gameover Zeus botnet. Additionally, CryptoLocker has been reverse engineered and many private keys have been recovered giving those infected some hope. There are also still several copycat versions of CryptoLocker in circulation; although few neither are as sophisticated nor do these have any design improvements over the original malware.

CryptoWall became more prominent after the demise of CryptoLocker. CryptoWall infects computers in much same way as CryptoLocker; although, it utilizes weaknesses in websites and employs exploit kits to infect users. It can also be contracted in downloads and emails. As before mentioned, CryptoWall demands only bitcoin as payment and typically charges a higher base amount than CryptoLocker. CryptoWall usually provides a website through which infected people can pay. This website is designed to make tracing difficult. CryptoWall is not yet as widespread as CryptoLocker. The primary concern with CryptoWall is that there is no way to recover the files it encrypts without paying the criminals behind it. CryptoWall can always be removed, but documents and images will remain encrypted.

There are some simple but important ways to reduce the risk of infection. The first order of business is to maintain a good anti-virus on one’s computer. Additional tools that target malware are also helpful to keep the system clean. Backing up all of one’s user data, especially text and picture files, is essential. External hard drives and similar devices should be turned off or disconnected from the computer when not in use. This is important because, after the computer is infected, ransomware can easily infect any connected data storage device(s). Caution should be used when surfing the internet and when checking email. Any program or file that is downloaded from the internet should come from the original source, and third party download sites should be avoided. If an email is received that is not recognizable, do not download any attachments from it. All these guidelines are helpful for general protection, as well as ransomware.

CryptoWall is definitely more feared because it is the only ransom malware from which your files cannot be saved if you chose not to pay for the private key. However, the majority of other ransomwares can all be removed without data loss. CryptoLocker is much less of a threat since its downfall; although, it can still cause significant harm as can its copy cat counterparts. Caution and regular backup of files are the two most important pillars to avoid the frustration that encryption ransomware presents.