This past Tuesday, May 26, TNTMAX became a victim of Cryptowall 3.0 when one of our office administrators opened an email that was sent to firstname.lastname@example.org. This email looked like someone seeking a job; the email had an attached resume. We are currently searching for new employees so the timing was impeccable.
This is what the email looked like:
What is Cryptowall 3.0?
A ransomware that comes in through email and spreads throughout connected network storage drives the infected user has access to. It encrypts all files it comes across specifically, .DOC, .PDFs, .XLS, .JPG, etc…
When trying to open a Microsoft word file we would receive the following error window:
In the root folder where the file that would not open resides, you would will find this:
-an HTML code
-a text file
All four of these will take you to a custom web page that is specific to you and explains what is going on and the ransom that needs to be paid to get your files unencrypted. That will look like this:
Really? A ransom note?
Yes, they are serious. For actual hard earned money you can retrieve your files untouched and unchanged. (Well besides the whole mess) Your money buys Bitcoins, thankfully they have it all fairly detailed in the image above, and your bitcoins buy back your files. Just like any good ole fashioned ransom note, there is a deadline. If you do not pay them in the time they give; it doubles.
What is a bitcoin?
A bitcoin is an untraceable digital currency that is used by hackers and online hijackers to make money which works independently of a central bank (obviously). Also, while we’re at it I should mention that of course the ransomware authors have the websites linked and routed through a TOR router to ensure complete anonymity of which you cannot trace or discover their locations.
8:00AM: Office Administrator opened and viewed the email that had the Cryptowall virus.
12:00PM: Our IT team detected the malware. (NOTE: none of our multiple anti-virus/anti-malware software picked it up)
1:30PM: IT located the source of the malware, the workstation of the office administrator who opened the email, and took it off of the LAN (local area network) IT then proceeded to remove the malware.
4:30PM: Office Administrator’s workstation was clean of any infection.
What’s the point here?
– We are an IT company with the best-of-the-best malware prevention, antivirus software, and SPAM filters in and around ALL of our servers and this thing still got to us.
– The people behind this ransomware are making money, and making a lot of it. This means they have the money to grow Cryptowall and create stronger and more powerful versions. With each version, there has been an aspect changed that makes it harder and harder to detect and get rid of.
What is the solution? Backup. We backup all of our servers’ data daily for multiple days, then weekly for multiple weeks, and monthly so we have the ability to find the original files not encrypted by going through our backup sets. Because we noticed it right away on the same day, we were able to restore from our backup the night before and we lost no data.
This only affected our internal servers’ files. This did not affect our client hosted assets that are fully separated, guarded, and backed up.
We want our clients to be aware of the different types of malware/ransomware that is out there. This stuff is not just stuff you hear on the news once and while. This isn’t something that only affects large or major companies. This can happen to anyone at any time and we want you to be prepared. Our recommendation: make sure you have a good backup strategy.
As always, if you have any questions or want to talk to TNTMAX about setting a backup plan in place for your data, please contact us. We will be excited to help you out!