Medical Billing and EMR Software by Medisoft, Lytec and Greenway › User Forum › Hardware › CryptoWall 2.0 Ransomware Virus
November 4, 2014 at 6:35 pm #41926
Important News: CryptoWall 2.0 Ransomware VirusWe received this warning from McKesson today, McKesson has been made awareof a Ransomware virus that has the potential to infect unprotected systems.It is our goal to help ensure that you are fully aware of this virus, itsimpact, and ways that you can help ensure your system is protected.Issue: CryptoWall 2.0 has been identified as a Ransomware virus known toencrypt client system files, including those in the PPART applicationfolder affecting program functionality, which may jeopardize systemstability and potentially patient data. CryptoWall v2.0 also deletes theoriginal file using secure deletion to prevent the files from beingrestored with file recovery software, and attempts to delete Windows ShadowVolume backups to prevent files from being restored. Impact: Key files in PPART are encrypted with RSA2048 encryption –decryption is not possible with current technologies. Users will seevarious files within PPART named DECRYPT_INSTRUCTION.TXT and/orDECRYPT_INSTRUCTION.HTML. These files will provide users with a URL andpayment instructions to be given the decryption key to recover theencrypted files. CryptoWall is known to target vulnerable .dat files, andhas been known to encrypt html and text files as well. Risk Mitigation:1. Do not download PDF email attachments from unknown sources. The mostcommon delivery vector is an executable disguised as a PDF in a zippedemail attachment.2. Ensure that your anti-virus solution is up to date.3. Run regularly scheduled anti-virus scans on both the server andworkstations.4. Include the Practice Partner® application folder (PPART) and theclient folder (C:Program Files (x86)McKessonPractice Partner) inscheduled scans.5. Use Windows Group or Local Policy editor to create softwarerestriction policies to prevent executable from running in specificlocations – CryptoWall’s executables routinely run from:a. C:.exeC:UsersAppDataLocal.exe (Vista/7/8)C:Documents and SettingsApplication Data.exe (XP)C:Documents and SettingsLocal Application Data.exe (XP)%Temp%6. Additional information on configuring Software Restriction policiesis available from:
You must be logged in to reply to this topic.