The gold standard in ransomware, CryptoWall, is making the rounds again with a new 4.0 release. In this revision, there are some pretty important changes that are going to make life more difficult for both infectees and security researchers looking to counter the software’s malicious activities.
If you aren’t already familiar with it, CryptoWall is a piece of software that falls under the category of “ransomware.” Ransomware products encrypt data on an infected system, preventing access until some amount of money is paid. The ransom for files is generally in the neighborhood of $500 but could be more or less depending on the developer. In most cases, the malware drops a list of targeted file types, such as .docx or .ppt, and attacks those. Once the files are encrypted, a message is displayed to inform the system’s user of the attack and how to pay the ransom.
Cryptowall 4.0 follows most of the “standards” for this type of malware. It uses the RSA-2048 algorithm, which is used by most major ransomware and is functionally unbreakable with current technology. It communicates with command, control, and communications (C3) systems using RC4 encryption, and communicates with its victims to collect the ransoms via the TOR browsing utility. It spreads via spam emails and so-called “drive-by downloads.” It also wipes shadow copies and disables system restore and startup repair, and network drives and local drives can both be affected.
What’s different about CryptoWall 4.0
Where Cryptowall 4.0 differs is that it now encrypts the filenames as well as the files themselves, making it nearly impossible to identify which files are which. Previous iterations only encrypted the data within the files, not the filenames.
Additionally, the splash screen and ransom notes have been updated. Now, in addition to the usual instructions on how to pay for the decryption key and new filenames in each folder directory storing affected files, the ransom notes contain language that mocks the victim more than previous iterations. Lastly, it seems that this version no longer uses the I2P protocol for communication, unlike version 3.0.
Recovering from CryptoWall 4.0 is essentially the same as in past versions: You either have to pay the ransom or restore from a backup. There’s no other way around it.
For more information on this variant, the helpful folks over at the BleepingComputer forums are actively peeling this bug apart, and they have a fantastic guide on removing the ransomware here. For more information on ransomware, feel free to check out our Cybersecurity Resource Center or download our new e-book, The MSP’s Complete Guide to Cyber Security.