Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.

*

Execute

  • *****
  • 265
  • +45/-0
  • Your friendly neighbourhood IT guy
      • View Profile
CryptoWall 3.0 is still raging - how to prevent it?
« on: June 10, 2016, 12:05:12 pm »
With the CryptoWall 3.0 ransomware netting 325 million US dollars to the cyber crooks behind it, there are no signs of it ever stopping.

If you are a tech savy or are knowledgeable about the Windows Operating System and its processes, it will be good to know the following key operations which the ransomware performs before encryption:

It calls WinExec(“vssadmin.exe Delete Shadows /All /Quiet”), which deletes the Shadow Volume Copies (the automatic backup of Windows).

It calls WinExec(“bcdedit /set {default} recoveryenabled No”), which disables the Startup Repair from automatic loading if there is a problem.

It calls WinExec(“bcdedit /set {default} bootstatuspolicy ignoreallfailures”), which disables the Windows Error Recovery service on startup.

CryptoWall 3.0 stops the following services, and modifies them so they don't launch on startup:

  • Wscsvc
  • WinDefend
  • Wuauserv
  • BITS
  • WerSvc
  • ERSvc

And after, it deletes the registry key:

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.Windows Defender – preventing Windows Defender from loading automatically with each system start.

Deletes the registry key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellServiceObjects/{FD6905CE-952F-41F1-9A6F-135D9C6622CC} – this disables the security center notifications.

Finally, CryptoWall 3.0 writes HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRestore.DisableSR = “1” – which disables System Restore.

CryptoWall 3.0 relies on svchost.exe to inject malicious code and perform key functions for the ransomware to operate properly.

If you are aware of that, you might see things in your computer or Task Manager which seem out of place and plain suspicious and act before the encryption has started.

Even if you are not with such skils, the least you should do is put a secondary defense mechanism in your computer.
Specifically preventing ransomware infections, there are these Anti-Ransomware Tools, which look for such stuff.

Be sure to check the ransomware prevention tips we have on the forum (don't be shy to write an idea of your own in there).

Note! This is an open discussion topic - write comments, suggestions, ideas or encounters with CryptoWall - we will try to help in any way we can!

Best Regards,
Execute