New Ransomware “CryptoWall” Rapidly Infecting Systems Across the U.S.


Statewide Information Analysis Center

  • 6 pages
  • For Official Use Only
  • June 1, 2014


(U//FOUO) This product addresses the recent wave of CryptoWall (not to be confused with “CryptoLocker”) ransomware infections throughout the United States. Included are prevention and incident response mitigation strategies, as well as a description of the malware and helpful sources. This product is U//FOUO TLP: GREEN and should be shared as widely as possible with all partners.

(U) Key Points
• (U//FOUO) CryptoWall is a new form of ransomware that has impacted numerous organizations across the United States, including municipal agencies.
• (U) The primary infection vectors for CryptoWall are spear-­-phishing emails, made to look like communications from legitimate companies, and compromised advertisements displayed on highly trafficked websites.
• (U) Upon executing on a system CryptoWall immediately begins to encrypt any files the user has access to, including data on shared drives.
• (U) The damage done to affected files by CryptoWall is irreversible and typically requires restoring locked files from existing back-­-ups.
• (U//FOUO) Currently, while some (but not all) major anti-­-virus software companies can now detect the attack after-­-the-­-fact, CryptoWall can still encrypt files on the infected computer before being discovered.

(U) Background

(U//FOUO) CryptoWall is a new ransomware discovered in late April 2014 that affects all versions of Windows. The most common infection vectors for CryptoWall are spear-­-phishing e-­-mails with malicious attachments (e.g. PDFs which, when opened, executes CryptoWall) or compromised advertisements on highly trafficked websites, such as news or social media sites.

(U//FOUO) Upon execution, CryptoWall immediately encrypts all user-­-accessible files on the local drive and any mapped networks or storage devices. After encrypting the accessible files CryptoWall displays a message giving victims a 100-­‐ hour countdown while demanding a payment of approximately $500 in bitcoins in exchange for the decryption key – though this amount has varied according to open source reporting. If the user does not pay within the demanded timeframe, the amount of the ransom increases.

(U//FOUO) Several CryptoWall spear-­‐phishing e-­‐mails identified to this point have been crafted to look like communications from legitimate companies and requested the user download or open an “EFAX”. Other malicious emails may be disguised as notifications sent from UPS or the “Payroll Department”.

(U//FOUO) Open source reporting indicates that the actors behind CryptoWall are utilizing an off-­‐the-­‐shelf exploit kit3 known as “RIG”, which hijacks advertising on high profile websites to redirect visitors to other malware-­‐laden sites.

(U//FOUO) Per incident reports shared by analysts across the country, CryptoWall has done damage to numerous organizations in the past month:

• (U//FOUO) In late May 2014, local fire department in Northern California was infected by CryptoWall, resulting in the compromise of at least one computer and one server, destroying vital information. The agency was able to restore their systems and the data from a backup.
• (U//FOUO) In early June 2014, several local public safety agencies in Southern California were infected by CryptoWall, resulting in the compromise of over one hundred computers and ten servers. The agencies were able to restore their systems from backup with assistance from the MS-­‐ISAC.
• (U//FOUO) In late May 2014, a municipal agency in Virginia found that two of their computers had been infected with CryptoWall.

(U//FOUO) Thus far, the majority of victims are located in the United States, though numerous victims have been affected across multiple sectors. In at least one incident, CryptoWall masqueraded as a program that claims the user needs to decrypt a file before being able to read it. Once the user tries to open the file, CryptoWall replicates itself across multiple locations on the user’s machine and demands payment. CryptoWall may also b disguised as legitimate software updates such as (but not limited to) Abode Reader, Flash Player, and Java Runtime Environment updates.iv

(U//FOUO) Due to the strength of the encryption, which uses unique RSA-­-2048 bit keys generated in each infection, the private decryption key is necessary to decrypt the affected files. A number of the victims have had to wipe the affected files and restore them from back-­-ups. Because CryptoWall can encrypt across the network (i.e. anything the user has access to, including anything on accessible mapped networks) it is possible the malicious actors are targeting organizations that would be most damaged by the malware.

(U//FOUO) The success of CryptoWall is likely due to the widespread spear-­-phishing campaign, the effective spear–phishing lures used by the malicious actors, the diversity in infection vectors – including spear–phishing and malicious advertisements, the fact that numerous anti-­‐virus providers still cannot detect CryptoWall, and the rapidity with which CryptoWall activates upon execution and begins causing damage.