Cryptowall attackers are smashing businesses in the Australian state of Queensland, according to the owner of a Townsville sex shop which has paid $1,058 to ransomware attackers to have its files unlocked.
The third iteration of the dangerous ransomware hit Sweethearts, which describes itself as Queensland’s oldest sex shop, last Friday with a ransom demand for three Bitcoins to have the AES 256-hidden files unlocked.
Cryptowall 3.0 is the most capable of ransomware families, with law enforcement agencies all the way up to Interpol saying it’s the chief threat. Unlike older versions, nobody’s yet found an implementation weakness that would let it by unlocked without paying the ransom.
Sweethearts’ Colin Edwards told Vulture South the attackers sent the Cryptowall 3.0 decryption key yesterday which was used to unlock the store’s servers which had been entirely encrypted.
“We paid the ransom, they accepted it, and sent the key,” Edwards says. “It’s the only thing you can do.”
Edwards says his business, and others in the state, were targeted through the Seek employment website on the back of an advertisement posted for vacant staff positions.
Net scum delivered the ransomware through a phishing HTML email masquerading (in Sweethearts’ case) as one of 47 job applications.
Edwards says he did not even open the email and that it executed the payload after it was merely previewed in his mail client.
He has since heard from other victims including local trade unions, a veterinary clinic, a Chemist, and a council which have been hit with Cryptowall 3.0 and forced to pay in recent weeks.
Stewart Livingston, director of local tech support Nu Wave Computers, was called in to triage and help Sweethearts.
“I’ve had three call outs since yesterday,” he says. “And I fully expect to be flat out by the end of the week.”
Both say state and federal police along with the federal Australian Cybercrime Online Reporting Network is unable or unwilling to help.
Livingston says victims have “no choice but to pay up” and risk inflating the ransom if they delay payment or bork removal and backup restoration efforts.
It could be possible to restore from backups but the tech says drives have to be fully formatted otherwise files may be re-encrypted.
Businesses should maintain regular air-gapped backups of critical data to reduce the impact of ransomware. Default passwords should be changed on public-facing services like remote desktop protocol, and applications and operating systems patched.
Security screws should be tightened on email clients where possible to prevent the code execution in open and preview modes.