Those that know me have probably heard me mention the CryptoWall ransomware more than once over the past few weeks. That’s because from a technology perspective something extraordinary has been happening that is forcing us all to clean up our approach to how we deal with security. The malicious software that we’ve all gotten used to seeing and dealing with has by comparison been poorly written, crudely designed and limited in the amount of economic damage that it could do. The ‘payload’ of these earlier forms of malicious software was almost petty when compared to CryptoWall; usually using the victims computer to send spam emails, display ads or ask for a credit card number with which to unlock a fake product and rarely if ever affecting the data stored on that computer. CryptoWall on the other hand has been engineered to a quality level that rivals anything that the world’s largest and best funded software publishers have been able to produce—complete with a working payment system that accepts credit cards and law enforcement has been completely frustrated in their efforts to trace. This was illustrated in November when a TN County Sheriff’s department became a CryptoWall victim and chose to pay a $572 ransom for the decryption key to unlock their departmental data. The article mentions no suspects.
Variations of CryptoWall have been in circulation since the first quarter of 2014 and new versions that close up previously found weaknesses in it’s design just as fast as each new means to counter it has been identified. This has occurring with an efficiency that rivals any of the worlds largest and best funded software publishers and in just the past few months a weakness in CryptoWalls encryption algorithm has been corrected and the ransomware has become adept at finding and destroying any data backups within reach of the afflicted computer as well as connecting to mapped network drives and encrypting the contents of an entire network which it then holds for ransom by demanding payment through bitcoin in varying amounts usually between $500 and $2000 but reportedly can be as high as $10,000 the largest ransoms being demanded from victims who do not pay within the first 4-7 days. While IT programming circles generally regard the authors of malicious software with contempt, not just for the criminality of their trade but for the sloppyness and inherent weakness of their designs. CryptoWall in contrast has been designed, updated and re-released with an almost institutional quality inflicting immeasurable damages on small and medium size businesses around the world while the reported impact to large corporations has been less pronounced. has in all likelihood taken about $100million out of the United States in the past few weeks. on as a bug or weakness is with a level of efficiency that’s been unrivaled by the world’s largest software publishers.
A large amount of malicious software was detected on Station9 and removed. These are all Trojan horses and/or PUP’s (Potentially Unwanted Programs). The infections that are occurring frequently now (not just at TSU but everywhere) are due to end users inadvertently installing software from untrustworthy publishers and once a malicious program is given permission to install you might not be able to revoke that permission. Antivirus and Antimalware software is designed to remove infections, but if the Trojan horse or other malicious program was given control of the computer even once after the user account control system warned that “This program is trying to make changes to your computer, do you want to allow this?” then you might never be able to fully revoke that permission without having the computers entire operating system reloaded first. Antimalware software is designed to detect and remove infections but there is no way to fully account for everything it did while it was there. It’s common for Trojan horses and other malicious software to leave instructions behind that cause the computer to connect somewhere and re-infect itself at some point in the future and these instructions are indistinguishable from legitimate processes until it’s too late. If any of these machines report additional infections in the next 30 days they should be reloaded.