New version of Cryptowall ransomware spotted doing rounds

The infamous Cryptowall ransomware is back: the newest version has been spotted compromising users starting on January 12.

According to both Microsoft and the researcher that goes by the handle Kafeine, there hasn’t been a campaign delivering Cryptowall (Microsoft calles it Crowti) for almost two months.

Unfortunately for users, Cryptowall 3.0 is as destructive as previous variants: it encrypts files found on the infected machines, and asks the victims to pay up in order to get the decryption key.

In this latest case, it seems that US and European users are the main targets. The crooks initially ask for $500 or the same amount in euros, and the cost is doubled if the victims don’t pay up within the first week of seeing the note.

“The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network,” shared Marianne Mallen, a researcher with the Microsoft Malware Protection Center (MMPC).

Cryptowall (Crowti) usually ends up on a victim’s machine in one of these three ways:

This latest malware delivery campaign makes use of previously installed malware and exploit kits to download the ransomware and run it.

If you have been infected and you haven’t recently backed up the encrypted files, you might as well consider them lost forever. You can pay the ransom and hope that you’ll be given the decryption key, but there is no guarantee you’ll actually get it and that it will work.

The security community advises against paying the ransom as not to encourage the crooks further, but unfortunately sometimes the files in question are worth more that $500 to the victims, and they do make the payment.

The recently spotted ransomware campaign targeting Australian users has, once again, shown how lucrative this approach is for cyber crooks.