A new, streamlined version of Cryptowall is doing rounds

Cryptowall 4 (although the number is not mentioned in the new, changed ransom note) is not drastically different from version 3. According to malware researcher Nathan Scott, it uses the same encryption, installation method, Decrypt Service site, communication method, C&C server, and ransom payment domains.

What’s new, then? Well, for one, the encrypted files now also sport encrypted file names, making it difficult for victims to know which files have been compromised:


Secondly, the communication channel is a bit more streamlined. And thirdly, the new ransom message has a new design and content – and asks for $700 instead of the previous $300.

“Congratulations!!! You have become a part of large community Cryptowall,” the message taunts. After explaining to the victims that they have to purchase Bitcoin to pay the ransom, and how they can peruse the instructions for decrypting their files, the criminals insist that the “Cryptowall Project is not malicious and is not intended to harm a person and his/her information data.”

“The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the internet a better and safer place,” the message says and concludes: “Remember that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.”

No doubt, the victims will go through a rollercoaster of emotion as they read the ransom note, most notably anger. The criminals are apparently trying to redirect that anger at AV vendors and paint themselves as the good guys trying to help, in the hope that this will spur the victims to pay the ransom.

Palo Alto Networks researchers have so far spotted ten unique instances of CryptoWall version 4, and have provided SHA256 hashes for each sample they analyzed.

“The threat of ransomware has remained active for a number of years now, and shows no signs of stopping in the future. Individuals should remain vigilant about ensuring that suspicious emails are not opened and skeptical about navigating to unknown websites that are not trusted,” they advised.

In addition to this, performing regular backups of important files is highly advised – in the case that you fall for the scheme, you wont have to pay the ransom because your files can be restored.

Share this
You are reading

A new, streamlined version of Cryptowall is doing rounds