Tales of a CryptoWall Infection

Post to Twitter Post to Facebook Post to StumbleUpon

Ideally your network should never get this infection but nothing is 100%. So even if you’ve taken pre-caution, unexpected things can still happen that make the network vulnerable and in that time an infection can occur. I recently saw first hand just what happens when a cryptowall infection occurs and more importantly we were able to determine what led to the infection and re-infection. There are some lessons to be learned.

So let’s cut to the chase. It was the owners laptop. I mentioned this to someone and response was “It always is”. Why is that? Well generally because business owners are likely to demand special treatment on a network and to treat their business computers as home computers. This all makes sense. It’s their business and when you own a business you can’t really separate it from your life. So it goes where you go and does what you do. Business owners are treated differently for these reasons but what we really need to be careful of is that they don’t end up so different that they compromise the thing they value most – the business.

Suggestion: Talk to business owners about the risk of being special. Many will be willing to accept the risk but others will decide to come into closer compliance.

In the case of this incident the laptop had an outdated version of virus protection on it. It had been installed recently and the wrong version was used so it did not receive updates. This meant that while it was protected for some bad things, it missed the incoming trojan that carried cryptowall. Cryptowall most frequently rides along on another infection these days, so first you need to manage to get yourself infected with a trojan. The outdated virus definitions allowed this. It is easy for laptops that aren’t in the office frequently to end up with outdated virus definitions. Once they are outdated too far, they no longer show up in the management portal. This is what occurred in this case. We’ve also seen cases where anti-virus software has been damaged by an attempted infection. We call it self-sacrifice. Sometime the only way you can tell whether it is still working is to actually open the software.

Suggestion: Look! With today’s remote access tools, we have less and less opportunity to see laptops and workstations first hand. When you are onsite and run into a laptop user ask to take a look at their machine. Check it for updates. Check it for virus pattern. Check that the anti-virus client is working.

Once the cryptolocker executable gets onto a machine it has to be able to run. Like all of the crpyto variants out there this one runs under appdata. But the cryptolocker policies block executables from that location so it should not have been able to run. What happened? The policy was disabled to allow for software installation. The laptop was in the office during that time and then it went home. Later the policy was re-enabled. But with the laptop already gone, it never got the policy turned back on.

Suggestion: Never turn the policy off. Instead temporarily exempt the user whose computer you are working on from the policy. Or if this is a regular occurrence, except the software so that it and only it is able to run .exe’s from appdata.

Crpytowall encrypts fast! I have read 5GB’s an hour. In the case of this particular incident we know that it ran for 12 minutes on the first infection and 3 minutes on the second occurrence. On first infection is was able to encrypt thousands of files. On second infection it was able to encrypt a hundred. This across 4 network drives. In addition it encrypted the local file locations too. It will encrypt files in local folders or network drives that the user has write access to.

Suggestion: Review permissions and drive mappings. If a user doesn’t need it make sure that they can’t write to it. Further check your backup storage location and make sure the writes are limited on that too.

One of the folders that was encrypted contained SQL server data. This server was only being backed up once per day. Because of that, the restore process not only took a full day to restore but also restored to the previous day resulting in two lost work days.

Suggestion: Backup multiple times per day. With today’s software there is no reason not to. Imaged based backup software is so efficient that there is no performance hit. Gone are the days of having to do full backups over night. To be doing so today is legacy thinking.

Cryptowall also places itself into the startup folder so it can launch upon reboot. This way if you shutdown before it is finished it will simply pick up where it left off next time you power on. In the case of the second occurrence of infection, although the laptop partitions were removed and a new OS version was installed redirected folders brought the file back to the machine.

Suggestion: Redirected folders can have unintended consequences like this. And today with the multiple machine sync features of a Microsoft account infections can compound themselves quickly. Keep a look out for where things sync from and scan those areas too, even though you don’t see encrypted files there.


  • Take advantage of your onsite time to check up on machines. Do a few every time you visit.
  • Never disable the cryptolocker policies once enabled. Only use exceptions.
  • Check your folder permissions and minimize mapped drives per user
  • Backup multiple times per day
  • Before you reboot, think about your file sync locations and check them for .exe
  • Remind your users to be careful. It’s a dangerous world and no protection plan is 100%


Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations. Attend our next chat or webinar: http://www.thirdtier.net/events

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.