CryptoWall 3.0 Ransomware – Ouch, It Hurts So Good…Get Out the Backup Tapes. You’ve Got Those Right?

Being the badass network admin that you are, you try to keep your servers up to date with all the latest Windows updates, you run antivirus on all your machines on your network and scan daily, you have made sure that none of your users have local admin rights to their machines so they can’t install any software, and so you think you are fairly well covered when it comes to viruses and spyware, well think again.

My company just got hit pretty hard with this new CryptoWall 3.0 virus. If you are unfamiliar with it, basically it encrypts any user accessible data on local and network shares that it has permissions to and holds it ransom for BitCoin payments.

After a little research, it looks like these hackers have been able to swindle a few million dollars of cold, hard cash out of people in exchange for their crypto keys which leads me to the thought “they just hacked you’re computer and now you’re going to both pay them get your data back and be a dumbass and assume that they aren’t going to just take the money and run??” So what, are they now somehow ethical by giving your crypto keys back? Are you serious?? And you’re just going to trust them now?! Unbelievable.

This was the first I had ever even heard of ransomware, so I guess I was lucky in that aspect, although it pisses me off severely to have to deal with the aftermath. That is some pretty conniving ass trickery there and I have got to give them props for creativeness. This virus doesn’t leave much identifiable information there to even be able to track which files have been affected. Even the created date and modified date timestamps aren’t affected.

Based on my findings, I believe that our infection was a result of an Adobe Flash Player vulnerability, although I haven’t quite pinpointed that yet one hundred percent.

Some of the first warning signs or things to look for if you think you might be infected are:

  • Users are complaining that they can’t access their network files or that they are coming up as gibberish when they do.
  • Users start seeing four new icons showing up in their folders named one of the following:
    HELP_DECRYPT.URL, HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT

A few words of advice:

  1. It is extremely important and I can’t stress this enough, to catch this bug as quickly as possible before it destroys all your data. The absolute fastest way to track down the user account that is the culprit is to right-click on one of the HELP_DECRYPT.* files and see who the owner of the file is.
    Properties > Security tab > Advanced > Owner tab
  2. Once you’ve tracked down the user account, disconnect that person’s computer from the network completely and then proceed to run antivirus scans. On my server, AVG showed “svchost.exe” as infected and was able to heal it. Too bad it didn’t do shit to stop the virus in real time without me having to force a server scan.
  3. Once you’ve gotten the virus neutralized, it’s time to assess the damage factor. Run the following command at the command prompt on each drive that was connected via network shares and the user had permissions to access. This will get a list of paths or directories containing HELP_DECRYPT files:
    forfiles /p C:\ /s /m HELP_DECRYPT.* /C "cmd /c echo @path" > C:\filelisting.txt
  4. To help further analyze which files have been affected, from the command line you can either change into each one of the directories in your filelisting.txt and issue the following command to show the owners of files
    dir /q | find /i "UserDomain\UserName"

    or you can employ a VBScript such as this (courtesy of the spiceworks forum)

    Set objShell = CreateObject ("Shell.Application")
    Set objStartFolder = objShell.Namespace ("C:\")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    
    strUsername = "UserDomain\UserName"
    oFolder = "C:\"
    
    Dim arrHeaders(13)
    
    ShowSubfolders objFSO.GetFolder(oFolder)
    
    Sub ShowSubFolders(Folder)
    On Error Resume Next
        For Each Subfolder in Folder.SubFolders
            Set oNsp = objShell.Namespace(Subfolder.Path)
            'Dim arrHeaders(13)
            For i = 0 to 13
                arrHeaders(i) = oNsp.GetDetailsOf (oNsp.Items, i)
            Next
    
            For Each strFileName in oNsp.Items
                If LCASE(oNsp.GetDetailsOf (strFileName, 8)) = LCASE(strUsername) Then
           
                Wscript.Echo Subfolder.Path & "\" & strFilename & "," & arrHeaders(1) & "," & Replace(oNsp.GetDetailsOf (strFileName, 1),",","")
                End If
            Next
        ShowSubFolders Subfolder
        Next
    End Sub
    

    and then pipe the output to a file like this

    C:\Windows\System32\cscript.exe C:\PathToVBScript\findown.vbs > C:\OwnedFiles.txt
  5. Since there is no way to decrypt the data without having the crypto keys, you’re only choice now is to restore the data from backups.
  6. After restoring all your precious data, you will want to get rid of all of the HELP_DECRYPT.* files by issuing a command such as this:
    forfiles /p C:\ /s /m HELP_DECRYPT.* /C "cmd /c del /q @path"

An ounce of prevention and…blah, blah, blah, suck it.

  • To mitigate the overall effects that this virus can have on your network, it is imperative to lock down all network shares to only those who need access and be exacting with the permissions such as granting the user read, write, modify, delete, etc. Do not give full control to anyone unless absolutely necessary as that also gives them the “Take Ownership” permission which will put you in a world of hurt as I have learned. Just pray to the lord that your domain admin account isn’t the one that gets compromised.
  • Back your shit up religiously. No excuses, just do it. It will save your ass down the road when tragedies like this strike.

Leave a Reply