The Cryptowall virus is a form of ransomware that encrypts files on infected computers and demands payment in order to decrypt them. It first appeared in early 2014 and has since become one of the most widespread and destructive ransomware threats. Here we provide an overview of how Cryptowall works and the damage it can cause.
What does Cryptowall do?
Once installed on a victim’s computer, Cryptowall encrypts a wide range of file types using RSA-2048 encryption. This includes documents, photos, videos, databases, and other important files. The encryption is exceptionally strong, making it impossible for victims to access their files without the decryption key.
After encrypting files, Cryptowall displays a ransom note demanding payment (typically $500-$1000 in bitcoin) in exchange for the decryption key. The ransom note threatens permanent data loss if the ransom is not paid within a short time frame, usually 72 or 100 hours.
Cryptowall is spread through exploit kits and phishing emails containing malicious attachments or links. Once launched, it immediately starts encrypting files in the background while displaying fake system messages to avoid detection. It only reveals itself after encryption is completed.
What damage can Cryptowall cause?
Cryptowall can cause severe damage to home users and businesses by permanently encrypting cherished photos, documents, databases, and other critical files. Without backups, victims who do not pay the ransom face total data loss. Even with backups, Cryptowall may encrypt files created after the last backup.
Businesses stand to lose valuable intellectual property, customer databases, invoices, design files, contracts, and more. Having systems and files encrypted can mean costly downtime that impacts operations and revenue. The average ransom of $500-$1000 also presents a hefty unplanned expense.
Beyond financial impacts, Cryptowall can cause tremendous uncertainty and stress for victims. Family photos, financial records, design files, and other personally meaningful data may be lost forever. This loss of irreplaceable data takes a serious emotional toll.
How does Cryptowall encrypt files?
Cryptowall uses extremely secure RSA-2048 encryption paired with a random generated encryption key for each infected computer. The private RSA key to decrypt files is only possessed by the attackers.
When first installed, Cryptowall generates a unique RSA public-private key pair on the victim’s machine. It uses the public key to encrypt files but exports the private key back to the attackers’ server.
For each file, Cryptowall generates a separate symmetric AES encryption key, encrypts the file with that AES key, and then encrypts that AES key asymmetrically using the public RSA key. Only the attackers hold the private RSA key needed to decrypt the AES keys.
This hybrid cryptosystem makes it computationally unfeasible to brute force the encryption even with immense computing power. Victims have no choice but to pay the ransom or lose their data.
Cryptowall Encryption Process
- Unique RSA public-private key pair generated on infected computer
- For each file, generate random symmetric AES key
- Encrypt file with AES key
- Encrypt AES key with RSA public key
- Export RSA private key to attacker’s server
Is it possible to decrypt files without paying?
Unfortunately decrypting files without the private RSA key held by the attackers is virtually impossible. The combined use of asymmetric and symmetric encryption means brute forcing the encryption manually could take millions of years.
Security researchers have attempted to break Cryptowall’s encryption but so far without success. There are no known vulnerabilities in the ransomware’s encryption methodology that could provide backdoors for decryption.
Free decryption tools available online for Cryptowall are usually scams themselves. Legitimate decryption is only possible if the attackers make a mistake implementing the encryption, which is rare with Cryptowall.
Can files be recovered from backups?
For some victims, full or partial data recovery is possible by restoring encrypted files from backups. However, the effectiveness depends entirely on the backup system used and when it last ran.
Frequent backups to external media that is disconnected when not in use offers the best chance of recovering files. Cloud backups can also work provided versioning is enabled and files can be restored to a version before encryption.
On the other hand, backups that run continuously in the background or to mapped network drives may also get encrypted by Cryptowall, rendering them useless.
Backup Protection from Cryptowall
| Backup Type | Protection Level |
|---|---|
| USB drive, disconnected after backup | Excellent |
| Cloud backup with versioning | Good |
| Network drive, continuously mapped | Poor |
| Continuous backup software | Poor |
How can Cryptowall be prevented and removed?
Preventing Cryptowall comes down to avoiding infection in the first place. Safe computing habits go a long way, such as not opening attachments or clicking links from unknown sources. Antivirus software can block many infections, but not all.
If infected, the ransomware itself can be removed with antivirus scanners or by wiping the computer. However, this does not decrypt any encrypted files. Preventing encryption requires stopping the attack before it gains a foothold.
Regular offline backups provide the best protection against damage from ransomware. With intact backups, encrypted files can simply be deleted and restored. Cryptowall has no effect if important data is properly backed up.
Should victims pay the Cryptowall ransom?
This is a complex decision without an unambiguously right answer. Paying the ransom provides the best chance of getting data back but also funds criminal operations. Each victim needs to weigh the situation themselves.
In some cases, the need to recover lost data justifies paying the ransom, particularly for businesses where downtime has major financial implications. Individual home users may be less inclined to pay.
There are pros and cons either way. The FBI officially discourages paying ransoms. Realistically, many victims decide the guaranteed file recovery makes it worthwhile.
Considerations for Paying Cryptowall Ransom
| Pros | Cons |
|---|---|
| Decrypts files | Rewards criminal behavior |
| Often only option for data recovery | No guarantee files will be decrypted |
| Relatively low ransom amount | May incentivize more attacks |
| Quick way to mitigate damage | Doesn’t solve root infection issue |
The future of Cryptowall
Cryptowall first appeared in early 2014 and remained active through various iterations up to 2016. It is no longer circulating and decryption tools are available for some past variants.
However, many other ransomware families have adopted Cryptowall’s effective double encryption technique. Notable examples include Cerber, Locky, CryptXXX, and CryptoWall 4.0 which despite the name is not linked to the original CryptoWall.
Even as specific families like Cryptowall decline, ransomware remains a major and rapidly evolving threat. Attackers continue innovating new ways to extort victims for money and data recovery.
Conclusion
Cryptowall demonstrated just how devastating and intractable ransomware can be. By abusing top-grade encryption to lock sensitive files, it ignited the ransomware epidemic that still plagues us today.
Ultimately there are no perfect solutions to ransomware like Cryptowall once files are encrypted. Paying the ransom often becomes victims’ only recourse for recovery. The best protection lies in proactive measures like security awareness training and offline backups.
Cryptowall forever changed the threat landscape by unleashing ransomware’s destructive potential. Bolstering defenses remains crucial to limit the damage from this constantly evolving menace.