Inside Cryptowall 2.0 Ransomware

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

Re:How to prevent it from ruining my backups

[rHBa]

As mentioned above, you need a PULL backup solution so the back-up is done by a remote server logging into your machine and taking copies of the files that need to be backed up rather then your machine connecting to a remote server and sending the files. That way your computer has no knowledge of where its backups are stored so cryptowall won't be able to find them either.

In a Linux or Mac environment this would be simple to set up with common tools, You could write a sample BASH script that runs daily on the remote backup server, using SSHFS to mount the target computer's file system and then use backup2l to make incremental backups of the appropriate directories which are saved on the backup file system.

This should work for Windows clients as well but you'd have to install an ssh daemon on the machine or use unencrypted Telnet.