Cryptowall Ransomware is actually malware and not a virus and will not spread through the network. All the DECRYPT_INSTRUCTION, DecryptAllFiles, how_decrypt, HELP_DECRYPT, HELP_TO_SAVE_FILES, and Help_Restore_Files files may be deleted as they are inert. The primary form of delivery is an email received by an end-user with a link or an attachment. The link is usually a Dropbox link and the file is usually a zip, exe, vbs, or txt file. This link/file is only for a downloader which installs and later downloads the Ransomware.
The major problem with Crypto Ransomware is that it uninstalls itself after it's finished, leaving no traces behind. This makes it very difficult to get the actual file responsible for the encryption.
While we are continually updating our definitions for the Crypto Ransomware, there are many new variants each day.
Currently, there is not an antivirus application available that is able to stop all its variants and it's an industry-wide issue at the moment.
As the Crypto Ransomware uses RSA encryption, it requires a server to issue a key. The request goes out and comes in on a non-standard port. A properly configured firewall will prevent access to the key as well as the server issuing it.
Cyber Security Planning Guide:
How to prevent your computer from becoming infected by Crypto Ransomware:
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths.
For more information on how to configure Software Restriction Policies, please see these articles from MS:
The file paths that have been used by this infection and its droppers are:
- Universal File Paths:
- C:\ (random) \ (random).exe
- %Temp% \ (random).exe
- Windows XP Specific:
- C:\ Documents and Settings \ (User) \ Application Data \ (random).exe
- C:\ Documents and Settings \ (User) \ Local Application Data \ (random).exe
- Windows Vista+ Specific:
- C:\ Users \ (User) \ AppData \ Local \ (random).exe