After several slow months, it seems that the authors of the infamous CryptoWall malware (Win32/Crowti or Trojan.Cryptowall) have re-emerged from wherever they’ve been hiding and have brought another version of their devious malware with them. Dubbed “CryptoWall 3.0” by security blogs and researchers, the new malware contains a number of changes and additions over the previous version.
How it’s different
While previous versions of CryptoWall communicated over the TOR privacy network, the new one uses an even more shadowy network known as the Invisible Internet Project (I2P). Although it’s similar to TOR in its goals and the need for a special browser for access, it is much less well known than its big brother. Researchers currently theorize that a hybrid method is used so that if either TOR or the I2P networks are down, the malware can still communicate with its command and control servers (over I2P) and payment can still be made (over TOR).
Additionally, CryptoWall 3.0 has the capability to geolocate an affected system and display a language-appropriate message on screen. For example, if your IP comes from France, you’ll see a version of the informational message in French, while someone in the United States would see the same message in English.
The last change is a longer time period for the ransom clock. The new timer seems to be somewhere in the neighborhood of 168 hours (one week). The price, however, has remained static at $500 ($1,000 after the timer expires).
What to watch out for
Like the older versions of CryptoWall, the things to look for include files with the name of HELP_DECRYPT in .txt, .html, .url, and .png file formats. It also continues the use of RSA2048 for the encryption algorithm and Bitcoin for the payment method. Distribution methods include drive-by-download and email dissemination, as well as backdoors from other pre-existing infections such as Win32/Onkods.
To read more about CryptoWall 3.0, check out these additional resources:
Paul Hanley is a Partner Support Engineer for Intronis.