Start End
Headshot of me wearing red lipstick Kara Babcock

Fighting CryptoWall on Windows XP: caltrops, scorched earth, and triage

How was your Easter break? I spent a good portion of my four-day weekend fighting a ransomware attack.

My boss's computer at the art gallery (not at my other job) is still running Windows XP while connected to the Internet. This is, no joke, a terrible idea. But they are a not-for-profit organization with very little money—she is finally getting a modern computer in May.

Not soon enough. Last week her computer was hit by CryptoWall 3.0, the beefier descendant of CryptoWall 2.0, which was hitting computers last April. Seems like this is going to be an annual event. This ransomware is so pernicious it has been hitting police departments in the United States, with some of them even paying the criminals because they had no other way to retrieve their files.

Ransomware is exactly what the name describes. It is a pernicious virus that infects your computer, disables as much security as possible, and then it encrypts your files so you can’t access them until you pay its masters for the decryption key. If you refuse to pay, then tough. It’s RSA encryption: you can’t just brute-force your way past it and get your files back. The only hope is if you have backups.

Of course my boss doesn’t have backups. Don’t be silly.

This is one (maybe the only) situation in which my boss's technophobia and complete distrust of the computer worked in her favour. She lost her files, yes, but very little on her computer was mission-critical. Her paper-based filing is meticulous enough to reconstruct anything she lost. She mostly uses her computer for email and web browsing, and the occasional word processing that she then files in hard copy. None of this is an excuse for not having backups, mind you—it just means that damage of not having backups is slightly mitigated in her case.

For those of us who work at the front desk, the most mission critical file was a custom Access database I had built to manage our consignment artist inventory. (And my boss actually admitted that was probably the most important file, period.) Losing it would be a blow. While I had configured automated backups of the file on her computer, I had never set up remote backups. I was more interested in preserving the database in case we broke something (because it’s Access, so I don’t trust it) than in case the computer itself turned against us. That was a mistake. Then again, I am not the gallery's IT guy; this was not my bailiwick.

There was one, tiny, infinitesimal sliver of hope left: file recovery.

I read on the Internet (that trustworthy source of all information) that CryptoWall doesn’t actually encrypt the original file; rather, it copies the file, encrypts the copy, and deletes the original. Ah-hah. So there is a possibility that a file recovery program might be able to recover the files. It seems that CryptoWall 3.0 might not work this way, but I had nothing to lose by giving it a try.

I also held out hope such a recovery program would turn up a deleted backup of the consignment database. (The backup script only kept the backups around for 90 days, and recovering a copy from January or February was a perfectly acceptable outcome for us. This is, in fact, what happened.)

First I tried Recuva. I swear by CCleaner, so I thought that Piriform would have my back. Unfortunately, despite its best efforts, it couldn’t turn up anything recoverable or useful.

Then I found PhotoRec/TestDisk, a pair of free and open-source programs maintained by Christophe Grenier. These did the trick. They recovered a lot of deleted files—few of them, unfortunately, relevant to us any more. But I did get back several deleted copies of the database, including a very recent backup. So there’s that.

My boss was good enough to offer to pay me for some of the time I put into this. (In addition to working on it while I worked on the weekend, I installed TeamViewer Host on her computer and worked on it remotely from home. I love TeamViewer. So much.) I wasn’t enthusiastic—after all, I didn’t do all that much—but she pointed out that it was pay me minimum wage or call their IT guy in for nearly ten times that amount. So … yeah. I’m going to donate some of that money to PhotoRec/TestDisk, however—people like Grenier who make such vital software and then release it for free deserve support.

In the end, I learned a lot about file recovery, ransomware, and the folly of running XP on the Internet. I really hope the gallery puts a backup strategy in place (they probably won’t), and I’m looking forward to my boss getting a new computer (even though it means I will have to teach her how to use it). Ransomware is a particularly troubling type of malware, because unlike a regular virus, it doesn’t just seize surreptitious control of your computer’s resources; it actually deprives you of access to your files. It hits like lightning and cannot be circumvented afterwards—if you don’t prevent it, backups are your only line of defence.