CryptoWall has struck again—only this time it’s nastier than before. With a redesigned ransom note and new encryption capabilities, BleepingComputer.com’s description of the “new and improved” CryptoWall 4.0 sounds more like a marketing brochure for a well-loved software product than a ransom demand.

Like the iterations of CryptoWall that came before the 4.0 version, the only way to get your files back is to pay the ransom in exchange for the encryption key or wipe the computer clean and restore the files from an endpoint backup archive. The FBI agrees, stating “If your computer is infected with certain forms of ransomware, and you haven’t backed up that machine, just pay up.”

In addition to encrypting the data on an infected machine and demanding a ransom for the decryption key, CryptoWall 4.0 now encrypts the filenames on an infected machine too, leaving alphanumeric strings where file names once were.

The most significant change in CryptoWall 4.0 is that it now also encrypts the filenames of the encrypted files. Each file will have its name changed to a unique encrypted name like 27p9k967z.x1nep or 9242on6c.6la9. The filenames are probably encrypted to make it more difficult to know what files need to be recovered and to make it more frustrating for the victim.

Not unlike Bill Miner, infamously known as the Gentleman Robber, CryptoWall 4.0 makes a farcical attempt at politeness. CryptoWall 4.0’s ransom note reassures its victims that the infection of their computer is not done to cause harm and even congratulates its victims on becoming part of the CryptoWall community, as if it were some sort of honor.

CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.

Ransomware is a lucrative business. It is estimated that the CryptoWall virus alone cost its victims more than $18 million dollars in losses and ransom fees from April of 2014 to June of 2015. In the spirit that being robbed doesn’t have to be a bad experience, CryptoWall 4.0 makes a bad attempt at customer service, claiming “we are ready to help you always.” Additionally,

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions. From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

In closing, the ransom note states,

…that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.

Whether hackers use CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker or one of the many variants, the outcome is the same. Users have no choice but to pay the ransom—unless they have endpoint backup in place. Even with the best tech resources, decrypting the algorithm used to lock files without the key would require several lifetimes. Whereas, with automatic, continuous backup, end users will NEVER pay the ransomer because a copy of their data is always preserved.

Rachel Holdgrafer, Content Business Strategist, Code42

[Cloud Security Alliance Blog]

ISACA’s inaugural CSX Conference took place in Washington, DC on 19-21 October, and it immediately raised the bar for IT security conferences. The hands-on pre-conference workshops and education sessions during the event provided tremendous value and insight into cybersecurity best practices and industry trends. As a young professional, the opportunity to hear from some industry experts and leading figures within the cybersecurity field was exceptionally beneficial.

The conference provided young professionals a chance to network with subject matter experts, vendors from large corporations or cybersecurity startups, as well as our peers. We were able to understand ways in which threats are evolving and the skills needed to keep up with the demands of protecting systems and sensitive information. It was easy to follow the rapid reactions and thoughts of attendees, as they discussed the conference topics on Twitter, as the updates were displayed on monitors throughout the expo hall or conference center.

Students attending the conference expressed enthusiasm about being able to provide direct feedback to ISACA Headquarters regarding the conference format, CSX career paths and volunteer opportunities. For them, a good challenge to have was deciding how to select the best possible session to attend, since there were so many good learning opportunities and speakers in each of the time slots. This only goes to show the depth and value of the education provided.

The CyberLympics competition added a new dynamic to the event. It was very exciting to observe and follow the progress through the second day of the conference. A previous colleague of mine was part of the team that represented Team USA. He felt the team had a complementary set of skills that enabled them to achieve the success they had in the earlier rounds of the competition to get to the finals.

Keynote speaker John Sileo gave a moving presentation on the value of identity theft, privacy and protecting your own personal information. For young professionals who are used to sharing so much on a daily basis, this session really resonated and demonstrated the real-life dangers of social engineering and sharing too much information. It made you think twice.

The conference concluded with a great keynote from Robert Herjavec, owner of the Herjavec Group and regular on the popular TV show, Shark Tank. His perspectives spanned a long entrepreneurial career and he emphasized the importance of cybersecurity professionals in this day and age, as we face such persistent threats from many sources.

Mark your calendars for the CSX Conference next year in Las Vegas at the Cosmopolitan from 17-19 October. It is an event you do not want to miss.

Jason Yakencheck, CISA, CISM, CISSP-ISSAP
Senior Managing Consultant, Cybersecurity & Privacy, IBM Global Business Services

[ISACA Now Blog]

For information risk and security programs and professionals to continue to stay relevant, provide value and be effective in the organizations they support, they must regularly adjust their approach. Organizations are constantly maturing and evolving, while simultaneously changing their activities, expectations and requirements. The most effective way for risk and security professionals to support programs is to mature, evolve and change with them. Consider these 5 adjustments that risk and security programs and professionals can implement to continue to be valuable and beneficial to their organizations:

1. Organize under enterprise risk management (ERM) functions—Information risk and security should be considered and organized under an ERM function within an organization instead of a technology function. In many organizations, the information risk and security programs and their associated professionals are organized as part of IT groups led by technology leaders (e.g., chief information officers). This potentially limits the risk and security professional’s scope and can create a conflict of interest and tension between them and the technology leaders they are supposed to support. As a result, the information risk and security professional may not be viewed as a valued asset by the technology leader, which could result in punitive action or lack of trust, as IT leaders may not believe information risk and security professionals are properly supporting their views or initiatives.
2. Present information that the organization really wants—Instead of assuming what business leaders and stakeholders want to know about information risk and security, ask them. It is often the case that information risk and security professionals either assume they know the insights and information that their constituents and stakeholders are interested in or that these individuals are not knowledgeable enough to ask for the right things. Regardless of the scenario, collaboration will help both groups build stronger relationships and understand how to interact with each other more effectively.
3. Articulate threat, vulnerability and then risk—Risk and security professionals commonly make the mistake of speaking about risk when they really are representing their insights and analysis concerning threats and vulnerabilities. The determination of a risk to an organization includes threat and vulnerability information, but also incorporates important data points such as business impact analysis if the threat is realized or vulnerability is exploited, business value and strategy, and calibration with the organization’s overall risk appetite. If these information risk and security professionals do not have a current and credible understanding of business considerations and tolerances, they cannot be expected to provide accurate representations of risk to their constituents and stakeholders.
4. Use a consultative approach—Information risk and security professionals are often perceived as being authoritative and unapproachable in many organizations. This is especially true when they are restricting individuals from pursuing a course of action or activity. An effective approach to removing this stigma is to integrate a consultative element into the information risk and security program or activities. This will assist the risk and security professional in building strong relationships, allowing them to provide useful advice and guidance, and be present and active in business activities on a regular basis instead of only at decision or review points. A consultative element will also provide the organization with an interface into the risk and security program where they can ask questions, develop and collaborate on ideas, and proactively engage to ensure they not only understand information risk and security expectations and requirements, but also the reasons for their existence.
5. Embrace, but educate—Instead of saying no to new technologies, ideas and capabilities in the name of security, try to find a way to say yes. Individuals within the organization often assume that the position of the risk and security professional or program is to restrict the use of new technologies, ideas and capabilities. A more effective approach is to embrace technological changes while at the same time educating the individuals who want to use new technologies about the appropriate information risk and security considerations, concerns and requirements that need to be accommodated as part of their use. This will empower individuals to able to make informed decisions about the use of these resources and, at the same time, ensure they are aware of their risk and security obligations.

Information risk and security programs and professionals need to continue to enhance their value proposition to the organizations and individuals they support so they can continue to be effective and relevant. The fundamental organization, policies, standards, functions and control frameworks to support information risk management and security are typically already in place in most organizations. What may be missing are the adjustments in approach and capability that are required to operate security programs effectively so that they are viewed as a benefit and not as a burden to the organizations and individuals they support.

John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.

[ISACA Volume 23]