CryptoWall Viruses

CryptoWall viruses such as CryptoLocker, AlphaCrypt and TeslaCrypt to name a few are ransomware trojans that encrypt any file that it has access to your on machine, delete the original, and then demand money to restore your data. What this means is that not only will it delete your files from your computer but also any file shares you may have access to or are attached to. We have seen, first-hand, the terror it causes.

How does it come in?

CryptoWall variants are incredibly sophisticated and can evade even top-ranked security systems. Attack vectors generally come from web-based exploits or CHM or RAR files attached to an email which the end-user must click through to launch the attack. These messages are usually spoofed to look like they are coming from a bank, online fax service or other official entity.

How to prevent it?

The first line of defense for this, or any other cyber-attack, is a robust security perimeter which incorporates these key pieces:

  • A hardware firewall with advanced threat prevention
  • Managed Antivirus (Centrally monitored)
  • Secured file share permissions
  • The virus can access all files that the infected user has access to. If files are not locked down, entire file shares could be encrypted and deleted
    • When possible, do not allow the average user deletion permissions. If the infected user does not have Full Access permissions then the virus can be contained
      What’s important to remember about CryptoWall viruses is that they are sophisticated enough to evade even the best detection systems. The best preventive measure is an end user that is educated, cautious, and skeptical.
  • Immediately close unexpected windows or pop-up messages
    • Do not click on any button in the window
    • If you have the know-how, close the window from the Windows Task Manager
  • Limit your web browsing to work-appropriate sites only
  • Don’t trust e-mail you aren’t expecting
    • Never open an attachment unless you know exactly where it comes from. If you’re not sure, call the institution you believe it came from to validate.
  • Report any suspicious activity to your IT personnel immediately
    • Do not forward the message unless specifically asked to by an engineer
    • Screenshots can be very helpful

What to do if you have been infected?

Don’t panic, but act quickly:

  • Shut down the infected machine and disconnect it from the network
  • Contact us for assistance by phone (206.397.8070)