CryptoWall 3.0
Idea shared by Matthew Titley - 4/7/2015 at 10:24 AM
Hi all,
This is just a heads up kind of post. I've seen three CryptoWall infections in the past few weeks. This is one scary virus and sure lives up to its billing. Two of the three I've seen were from non mail hosting customers. Today, an employee of a client got a CryptoWall infection. A/V was disabled somehow... I was able to find an email in the SM archive which was probably the culprit. The email contained a link to a URL with a whole bunch of random host name characters calling a randomly generated php file name.
Why on earth the employee followed the link is beyond me but getting a straight answer on what actually transpired in retrospect will be futile and pointless I suspect.
Anyway, this is one bad virus. Once you get it, it encrypts all documents to an, in essence, un-decryptable state without paying the ransom of hundreds of dollars or more. It's the real deal. Luckily, two of the three infections I've seen had backup routines in place to safeguard data. From a SmarterMail admin perspective I don't know how else to protect against these attacks. We're already using most of the tips in Bruce's documents, along with CommTouch. Just last week I updated to the ClamSup add-on for ClamAV which seems to be working just fine. Of course, these types of phishing attacks will always get through, on occasion, and it is up to endpoint security and smarter users for the rest.

Reply to Thread