Cryptowall and other viruses on the upswing

The bad guys are working overtime. In the last few weeks, two of my clients were shut down for hours or days by viruses that arrived in email attachments. There have been countless near misses with look-alike messages that appear to be from Paypal or from banks, loaded with links to malicious websites. The phony wire transfer requests continue to come in, potentially leading to expensive mistakes. Your employees’ mailboxes are stuffed with messages that could shut down your business with just a few errant clicks.

I’ll tell you a few anecdotes but it’s more important that you refresh your memory of the Rules For Computer Safety – and as always, I encourage you to tape copies of the Rules to your employees’ chairs and distribute them outside local supermarkets and discuss them over drinks after polo matches. Today’s lecture mostly concerns this rule:

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

Not 99% certainty, that’s not good enough. Also not good enough: any explanation that starts with: “Oh, I thought, maybe . . “ or “It looked like it came from (person known to you), so I figured . . . “ If you get an mail attachment, you must assume it is poisonous and then cautiously convince yourself otherwise. You will want your explanation to be very convincing when you’re repeating it to me while we stare at the ruins of your business.

It’s really that bad out there. It’s one of the reasons that people are fleeing computers and using mobile devices, which are not (yet) easily attacked by viruses. (The other reason is that computers are too damn complicated and it’s amazing that anyone can use a computer without screaming. But that’s another article.)

Cryptowall help_your_files instructions

An attachment that appeared to be a zipped Word document delivered the Cryptowall virus to two clients. It’s the latest variation on Cryptolocker, the worst virus you can imagine, now in circulation for more than two years. I’ve written about Cryptolocker here and here.

When it’s executed, the Cryptowall virus runs silently in the background, encrypting all of your files so they are unreadable. The latest version also encrypts the file names and turns them into long strings of alphabet gibberish to make it more difficult to figure out what files have been lost. When it’s finished, the virus presents a ransom notice (shown above) with instructions about how to send the ransom amount – several hundred to several thousand dollars – by anonymous means to the criminals, who promise to send back a key that will let you decrypt your files. Some people actually get their files back that way but these are criminals, after all, and paying money to criminals and trusting them to play fair kind of misses the point, eh?

The Cryptowall virus is particularly devastating to small businesses because it reaches beyond the computer running the virus and encrypts all files in mapped drives. Almost every small business has an M: drive or a P: drive where everyone stores shared files. It’s the “Company” or “OfficeDocs” or “FirmDocs” folder; the real name might be \\companyserver\firmdocs but most employees call it the M: drive. Cryptowall encrypts those files as well and in a few minutes the business grinds to a halt as all the company files disappear before your eyes.

There’s no choice other than to wipe a computer clean that has been infected by a genuinely bad virus like Cryptowall – reformat the hard drive, reinstall Windows, reinstall all the programs, and set up printers and scanners from scratch. I can remove adware – annoying programs loaded by small-time crappy advertisers – but you can never trust a computer that has had a real virus unless the hard drive is wiped. It’s time-consuming and invariably results in disruption and difficulty getting back to normal.

Restoring files from a backup is no picnic, either. My clients had good backups of the files in the Company/FirmDocs folders but restoring from a backup might mean the loss of work done since the last backup an hour or a day or a week before. In one case, the backup was online, which meant the files were safe but required 18 hours to finish the download from the online backup storage. During that time employees are idle and the business suffers.

Also worth noting: Cryptowall encrypts files in the local copies of Dropbox and OneDrive, both of which then happily sync the encrypted copies online. Theoretically it’s possible to restore previous versions of files stored in Dropbox or OneDrive but only one by one, file by file, which does no good when thousands of files have been encrypted. Include Dropbox and OneDrive in your backups!

Nasty stuff. I’ve also seen a resurgence of email messages that contain links to malicious websites that will attempt to install viruses in the background, or present phony imitations of legitimate sites and attempt to capture your password, or put up phony security warnings imploring you to call a number to clean your computer, or any of a thousand other typical bad guy scams. Take a look at this email message forwarded by a client:

Phony Paypal message

A message from Paypal about a payment you didn’t authorize. Did you notice that the return email address is “sercvice”?  It’s so tempting to click the link that says “Dispute this transaction.” Let’s say you’re careful and you hover over the link before you click to see where it leads – would you notice that it says “www.” and not “www.”? Make a mistake and you’re on your way to a site run by the bad guys (which might also look just like Paypal) and just a click away from a virus disaster.

We’re going to be deluged with email in the next month that appears to be from shopping sites and banks. Some of it will appear to be from companies that you do business with. Our instinct is to completely overlook messages from unfamiliar businesses and just as instinctively to be attracted to a message that appears to be from a familiar name. It’s easy to ignore the message from “Union Bank” and “American Express” and “Bank of America” and yet we’ll pause when a message appears to be from “Wells Fargo” (or wherever you bank) because, who knows, maybe it’s real. Look hard before you click!

Paranoia is your best defense. Your antivirus program may not defend you. (Security programs fought with the Cryptowall virus in both cases for my clients but did not stop it until most of the damage was done.) Review the Rules for Computer Safety, and please, please, be careful out there.

Share This