Security Alerts CryptoWall 4.0
Tuesday, Nov 17, 2015
Description of CryptoWall 4.0
A new version of CryptoWall was recently discovered in the wild that brings some changes to the CryptoWall we are currently familiar with.
Previous Version Information
For those of you that are unfamiliar with CryptoWall, it is a file-encrypting ransomware program that was released around the end of 2013. When activated, the malware encrypts certain file types stored on local and network mapped drives using RSA cryptography. The malware then displays a message which offers to decrypt the data if a payment (either bitcoin or pre-paid cash) is made by the stated deadline. Before the original botnet was taken down, CryptoWall had generated around $3 million in a short period of time with an estimated 41% of victims paying the ransom.
In addition to a redesigned ransom note, CryptoWall 4.0 comes with new encrypted filenames along with encrypting the data inside the files. This new version was discovered after users claimed they were infected by what was called “help_your_files” ransomware.
How it is different from previous versions
Now that we have covered the basics let’s go a little deeper into the most significant changes, encrypting filenames of the encrypted files. Each file will have its name changed to a unique encrypted name, this is mainly done to make it more difficult to realize which files need to be recovered. The encrypted names are a basic alphanumeric reference and do not seem to follow a specific order.
There has also been a change to the HTML ransom note which makes it seem that CryptoWall is not a malicious project, but is actually intended to make the “internet a better and safer place”.
Methodology for Infection
How to protect from it
Since the main method for infection comes from e-mail in the form of a zipped resume, an Email Security solution that allows file attachment blocking with the ability to quarantine files based on type is great. Also another commonly overlooked method is end user training on these types of situations. Ultimately it comes down to the end user and if they are aware of these attacks it certainly helps with mitigation. AV manufacturers are currently updating their definitions to recognize these types of files and flag them as malicious content.
What to do in case of failure
In the case that you have your data encrypted by CryptoWall, the only method to recover your information is from data restoration via backup, or you could actually pay the ransom in bitcoins, which are difficult to obtain quickly if you do not already own some. Data restoration is a far easier and faster process that does not involve paying ransoms.
If you do happen to come across CryptoWall and are currently using a layered security approach, being infected does not actually mean encryption. A firewall or UTM device can block the C&C traffic that is required to encrypt the files. Blocking these type of communications and actively monitoring for their presence can allow you to clean the infected system before the files are encrypted.
Be sure to check out our YouTube video on CryptoWall 4.0 – https://youtube.com/iYadk2VJ_NE