New variation on CryptoWall

By November 8, 2015QCS Group Blog

crypto? ?CryptoWall is coming to you with a variation on the original theme.

Apparently Australia has more ransomware attacks than any other country.

The new strain poses as an AntiVirus tester to see if your AV solution is protecting you.

 

It says:

?CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.?

 

It’s not actually your friend!! ?Instead, it installs the malware and then demands $700 worth of bitcoins.

 

Be extra vigilant and please make sure all the staff know about this. The bad guys keep coming up with smarter ways of trying to get your money.

The full article from Hot For Security ?appears below.

As always, if you’re unsure about anything that arrives, don’t hesitate to give our tech team a call on 1300858723.

 

CryptoWall 4.0 returns to the wild, posing as good guy

The infamous CryptoWall ransomware family is back, encrypting files under the false pretenses of testing AV solutions for their? ?suitability? to protect data.

?CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.?

This time, users are requested to pay $700 worth of Bitcoins (1.83 BTC). CryptoWall, active since April 2014 under ?three known versions, has inflicted more than $1 million in losses every month, according to federal reports.

Bitdefender malware researchers analyzed a sample of the fresh strain of malware and saw clear differences between CryptoWall 4.0 and its predecessors.

In terms of propagation, CryptoWall seems to employ the same e-mail distribution methods as before, via infected emails.

spam_venit_editat

Fig 1. CryptoWall-infected spam email

The malware displays a redesigned ransom message and new filenames, but the most notable change is that CryptoWall 4.0 now encrypts the names of the files along with its data. Each encrypted file has a name made up of random numbers and letters. This makes recognizing the files almost impossible, much to the frustration of users.

inainte_de_infectie_editat

Fig. 2 Documents prior to CryptoWall 4.0 infection

dupa_infectie_fisiere_criptate_editat

Fig 3. Documents after CryptoWall 4.0 encryption

After it installs and encrypts files, the malware displays a ransom note in three formats: HTML, TXT and PNG. ?The message is noticeably different for previous versions: longer, less alarming and with a hint of irony.

dupa_infectie2_editat

Fig 4. HTML ransom note after infection

After educating users on encryption, hackers also make it clear they are the sole owners of the so-called decryption software users are urged to pay for and ?any attempts to restore your files with the third-party tools can be fatal for encrypted files.? Metaphorically put, the damaged files are like missing puzzle pieces, the picture will never be complete again.

To preserve anonymity, the ransomware asks users to pay the ransom via a Tor address. The attackers also warn users that AV solutions are ?to blame? if instructions are deleted, namely blocking the virus. In this case, they?ve laid down a plan B ? another set of instructions on how to install Tor.

The message recommends that the payment be completed in 2-3 days, in case of a takedown of the links.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.? From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

decryption_service_bitcoin_payment

Fig. 5 Decrypt service payment site

The encryption standards employed seem to remain the same ? RSA-2048 ? a strong encryption algorithm that renders decryption impossible.

 

Leave a Reply

Call Us
Email Us