By Katherine Teitler


CryptoWall is a form of ransomware that encrypts a user's files and demands that the user pay a fee, typically in digital currency such as Bitcoin. In return for the paid ransom, the user receives decrypt instructions and a key from the attacker that gives the user access to their files.

CryptoWall was first discovered in early 2014 and infects Windows-based system. This file-encrypting ransomware can spread through malicious attachments to Spam and phishing emails, browser exploit kits, malvertising, or other malware. According to the Cyber Threat Alliance, CryptoWall version 3 has resulted an "estimated US $325 million in damages" thus far.

Once deployed to a host machine, CryptoWall communicates with a remote C&C (command and control server) which generates a unique RSA public-private key pair. CryptoWall identifies files with certain extensions, such as documents and audio that are stored locally, on network stores and even in the cloud. CryptoWall encrypts the files using the generated RSA public key and may also copy them to the C&C server. This process continues until all supported file types are copied and encrypted.

After the above process completes, the original files are deleted from the victim's machine and Windows' Volume Shadow Copy Service (VSS) is used to remove any shadow copies and block any system restore or backup capabilities. The only way a user can then access his file is if the files were stored on a disconnected remote drive, like an unconnected USB, or separate network.

After the attacker has successfully captured all the desired files on the infected system, a ransom note is sent to the victim. If the victim pays the ransom, s/he will (hopefully!) receive decrypt instructions to the stolen files.

Early bird deadline for InfoSec World 2016 Conference & Expo end 1/22/16. Click here to register today.