Less than a year after CryptoWall 3.0 made its debut on the malware scene, its successor came into circulation.

While some things remain the same, crucial elements around the cloaking part of the malware have changed. These alterations have morphed into a new, powerful ransomware strain.

The truth is that it’s even more challenging to protect victims against CryptoWall 4.0 than from its predecessor.



What’s new about CryptoWall 4.0



Our team has recently observed that a new strain of CryptoWall has been released to target users worldwide.

On a technical level, the code in this strain of Cryptoware has been enhanced in several ways:

1. CryptoWall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities. It includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions. This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks.

2. Malware creators have also made changes in the text message dropped on infected systems. These files are now called:

HELP_YOUR_FILES.TXT

HELP_YOUR_FILES.HTML

HELP_YOUR_FILES.PNG

Here is an example of such a text:

C: \ Documents and Settings \ User \ Desktop \ HELP_YOUR_FILES.TXT

As you can see, the message uses an on obviously condescending tone. It also includes an FAQ with answers directed to the victim.

3. CryptoWall 4.0 now encrypts not only the data in your files, but the file names as well. This social engineering technique confuses the victims even more. It also enhances the pressure of wanting to retrieve their data as fast as possible. Consequently, this increases the “success” ratio of how many victims see the message versus how many pay the ransom. A clear business enhancement by cyber criminals.

What’s important to observe here is that Cryptoware creators act like they run software companies:

they continue to enhance their code so it becomes more effective in terms of finding vulnerabilities to exploit

so it becomes more effective in terms of finding vulnerabilities to exploit they address current IT security market trends by making their ransomware as undetectable as possible

by making their ransomware as undetectable as possible they use all triggers at their disposal (social and emotional) to increase their return on investment.

What stayed the same



1. CryptoWall 4.0 continues to use TOR to direct victims to the payment instructions, just like CryptoWall 3.0. This way, they can ransom their data by paying for a decryption key in a way that doesn’t compromise the anonymity of the attackers.

2. Just like its predecessor, CryptoWall 3.0, this new strain also connects to a series of compromised web pages to download the payload onto the targeted system. These pages also tie the infected system into a botnet and use it to spread malware to other computers.

Here is a short list of these infected pages:

pastimefoods [.] com

19bee88 [.] Com

adrive62 [.] com

httthanglong [.] com

mofiaweb [.] com

image camera club [.] com

vk1001 [.] ru

tuvestir [.] com

parsimaj [.] com

frc-pr [.] com

www.frc-pr [.] com

adcconsulting [.] net

3. The infrastructure is unchanged.

4. Antivirus detection for this variant is, unfortunately, very low.

5. Like previous cases, CryptoWall 4.0 spreads via drive-by attacks and spam mails, which are still preferred as main attack vectors because of their low cost.



What should I do if I get infected?



Once your data is encrypted, unfortunately, there’s not much you can do. The encryption is very strong and most likely unbreakable.

The only options you have to access your data are:

to either format your system and restore your information from the most recent backup

or pay the ransom to get a decryption key – please not that paying the ransom does not guarantee that you will get the decryption key and we do not recommend paying the ransom.

What should I do to prevent a CryptoWall 4.0 infection?



There are a number of ways you can prevent a Cryptoware infection and it may surprise you how basic many of them are:

keep your system up to date and always install the latest updates available

back up your data constantly and frequently

don’t keep any important information on your computer

do not open spam emails or emails sent by unknown senders

don’t download or open attachments in those emails

use products that can detect and block recent ransomware / Cryptoware variants.

Conclusion



Cyber crime has long transformed from a world of rebel attackers to a business field, albeit one with malicious objectives. And ransomware is an increasingly important segment of it.

It wouldn’t be farfetched to say that we can expect Cryptoware threats to multiply and become increasingly sophisticated. The hard-hitting truth is that most Internet users are not aware that threats such as ransomware even exist, so they’re doing much to protect themselves.

But that’s why we need to work together on this and help educate the others around us, be they family members, friends or small company owners, so we can all enjoy a safer web.