Jump to content

Question about Cryptowall 3.0


Recommended Posts

Two of my workstations were hit with Cryptowall 3.0 this week. I've taken down the network and we're running all workstations independent of the network while trying to figure out how it got in. The two workstations affected were both running an Outlook (2013) add-in called Save as PDF. We believe the malware may have been delivered with an email containing a resume attachment that neither user opened. Both users had unopened copies of that email in their delected folders. Is it possible the add-in activated the malware when it converted the email and the attachment to pdf? Here is a copy of the Sperry description of the add-in.

The add-in first converts the email to PDF, then takes each attachment and inserts that into the PDF as well. It works on Microsoft® Word® files (.doc and .docx), Microsoft Excel® files (.xls and .xlsx), Microsoft Powerpoint® files (.ppt and .pptx), plain text files (.txt), HTML files (.htm and .html), PDF files, image files (.tif, .jpg, .gif, .png, plus other image file formats) and even unpacks compressed zip files!

Fortunately even though this malware made it to the network through mapped drives, our backup system (I call it 3-2-1 and a spare) saved us from shutting down the business.

Any thoughts on this would be appreciated. I want to take whatever steps are necessary to prevent this from happening again.

Link to post
Share on other sites

  • Root Admin

Not always easy to determine the "how" but protection from it can certainly be increased. Please review the links below for some of the best public information about the subject.








Link to post
Share on other sites

  • 3 months later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.