Posted 14 January 2015 - 12:07 AM

After a brief hiatus of CryptoWall infections during the holidays, yesterday the malware developers released CryptoWall 3.0. There only changes in this version compared to the previous one are ransom note filename changes, new TOR gateways, and an extended deadline to make the payment. Other than that, CryptoWall 3.0 is the same piece of garbage we have come to hate in CryptoWall 2.0.The first change is a longer deadline time that a payment must be made before the ransom amount increases. Originally the ransom deadline was 5 days after the time of the infection. Now they have increased the deadline to a full week.Another change is additional TOR gateways that are used to access the CryptoWall decryption site. These TOR gateways are, and. Using these gateways an infected user is able to access the CryptoWall decryption site without installing the TOR browser software.

HELP_DECRYPT.HTML

Last, but not least, the ransom note filenames have changed and now extra PNG file is displayed along with the ransom notes when you login to Windows. The names of the CryptoWall 3.0 ransom notes are now, and. Each ransom noted is described below.: This HTML file will be shown every time you login to Windows and displays information on what CryptoWall 3.0 is and how to access the ransom site.

HELP_DECRYPT.PNG

: This image file is displayed when you login to Windows and contains more information about CryptoWall 3.0 and how to access the ransom site.

HELP_DECRYPT.TXT

: This text file will be shown every time you login to Windows and contains the same information as the other files.

HELP_DECRYPT.URL

: This file will automatically load your default browser and display the CryptoWall 3.0 Decrypt Service when you login to Windows. The decryption site looks similar to the image below.

The CryptoWall Information Guide has already been updated with this information and ListCwall is still able to export the list of encrypted files. You can also discuss this topic further in our CryptoWall Support Topic Kafeine has posted a story detailing how Cryptowall 3.0 also communicates over the anomymous network service I2P