Security Alerts CryptoWall 4.0

Tuesday, Nov 17, 2015

Description of CryptoWall 4.0

A new version of CryptoWall was recently discovered in the wild that brings some changes to the CryptoWall we are currently familiar with.

Previous Version Information

For those of you that are unfamiliar with CryptoWall, it is a file-encrypting ransomware program that was released around the end of 2013. When activated, the malware encrypts certain file types stored on local and network mapped drives using RSA cryptography. The malware then displays a message which offers to decrypt the data if a payment (either bitcoin or pre-paid cash) is made by the stated deadline. Before the original botnet was taken down, CryptoWall had generated around $3 million in a short period of time with an estimated 41% of victims paying the ransom.

New Features:

In addition to a redesigned ransom note, CryptoWall 4.0 comes with new encrypted filenames along with encrypting the data inside the files. This new version was discovered after users claimed they were infected by what was called “help_your_files” ransomware.

How it is different from previous versions

Now that we have covered the basics let’s go a little deeper into the most significant changes, encrypting filenames of the encrypted files. Each file will have its name changed to a unique encrypted name, this is mainly done to make it more difficult to realize which files need to be recovered. The encrypted names are a basic alphanumeric reference and do not seem to follow a specific order.

There has also been a change to the HTML ransom note which makes it seem that CryptoWall is not a malicious project, but is actually intended to make the “internet a better and safer place”.

Methodology for Infection

Previous versions of CryptoWall are notorious for using an e-mail distribution method which uses a hoax resume inside of a zipped attachment. The same methods are being used to distribute CryptoWall 4.0. These zipped ‘’resumes” are actually JavaScript files that when downloaded, execute an executable, save it to the Windows Temp folder, and then execute. Once this process has been completed, the communication methods to the C&C servers begin. While communicating to the C&C servers, CryptoWall uses RC4 encryption and also continues to create a unique identifier from the MD5 hash of the infected computer name, volume serial number, processor information and OS version. Once that has been completed, it will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.

How to protect from it

Since the main method for infection comes from e-mail in the form of a zipped resume, an Email Security solution that allows file attachment blocking with the ability to quarantine files based on type is great. Also another commonly overlooked method is end user training on these types of situations. Ultimately it comes down to the end user and if they are aware of these attacks it certainly helps with mitigation. AV manufacturers are currently updating their definitions to recognize these types of files and flag them as malicious content.

What to do in case of failure

In the case that you have your data encrypted by CryptoWall, the only method to recover your information is from data restoration via backup, or you could actually pay the ransom in bitcoins, which are difficult to obtain quickly if you do not already own some. Data restoration is a far easier and faster process that does not involve paying ransoms.

If you do happen to come across CryptoWall and are currently using a layered security approach, being infected does not actually mean encryption. A firewall or UTM device can block the C&C traffic that is required to encrypt the files. Blocking these type of communications and actively monitoring for their presence can allow you to clean the infected system before the files are encrypted.

Be sure to check out our YouTube video on CryptoWall 4.0 – https://youtube.com/iYadk2VJ_NE