CryptoWall - A new ransomware from the creators of CryptoDefense


Userlevel 7
Badge +52
Towards the end of April the developers of CryptoDefense released a new Ransomware variant titled CryptoWall. This variant is for the most part the same as CryptoDefense other than the name change and different filenames for the ransom instructions. It is speculated that the developers either released a new version because CryptoDefense was too well known by AV vendors or that they sold the code base to another malware developer. Unfortunately, just like the latest versions of CryptoDefense it is impossible to decrypt files that are encrypted by CryptoWall.

 
http://www.bleepstatic.com/swr-guides/c/cryptowall/cryptowall-thmb.jpg]
 

When CryptoWall is installed it will scan your computer for data files and encrypt them. It will then create files containing ransom instructions in every folder that it had encrypted a file. These ransom notes are DECRYPT_INSTRUCTION.HTMLDECRYPT_INSTRUCTION.TXT, and theDECRYPT_INSTRUCTION URL shortcut to the decryption service. Each of these files contains instructions on how you can access the CryptoWall Decrypt Service, which is located at hxxps://kpai7ycr7jxqkilp.torexplorer.com/ URL, and pay the ransom. The ransom is currently set to 500 USD and is payable with Bitcoins. The amount of Btcoins required will change based on their current price.

 
Full Article

8 replies

Userlevel 7
It's always good to know what one should be aware of;)
 
Userlevel 7
While this article states that it, like previous versions of the ransomware, make it impossible to decrypt the files, I am not so sure.  Past ransomware versions have actually been thwarted by the rollback feature within WSA.
 
@ or @ , is there any chance I can get a confirmation that this one also will be defeated by WSA and the files recoverable via rollback?
 
Thanks  :-) 
Userlevel 7
I`ll see if I can find a sample of it. I dont see any reason why rollback wouldnt work. 
Userlevel 7
Thanks for the reply!  That pretty much answers that question right there.
 
While I never had any of these programs manage to find my laptop, I am not really worries about them either:-) 
Userlevel 7
Comment: A new twist to ransonware, after files are encrypted the victum is aked to pay in Bitcoins if the victum does not have Bitcoinst t hey are instructed to change the money they have into this crypto currency
=================================================================================================
By: HNS Staff/ Posted on 25.07.2014
 
Ransomware is now one of the fastest growing classes of malicious software, says Kaspersky Lab researcher Fedor Sinitsyn. This should not comes as a surprise, when we know that 35 percent of those who get infected by it end up paying the ransom.

The Russian AV company has recently spotted a new ransomware family they detect as "Onion." The malware itself is called CTB-Locker, and analysis of its code revealed that, apart from its ultimate goal, it is unlike any other known ransomware family.

"Its developers used both proven techniques 'tested' on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware," says Sinitsyn.
 


 
Help Net Security/ Full Read Here/ http://www.net-security.org/malware_news.php?id=2819
Userlevel 7
Hi Anthony
 
Well, in my opinion that is just adding insult to injury....downright cheeky.  Next thing is that they will be requiring one to open a new bank account or pay in bearer bonds, etc.
 
Baldrick
Userlevel 7
The following article is a update o Cryptowall

(CryptoWall More Pervasive, Less Profitable Than CryptoLocker)

 
By: Sara Peters/ Posted on 8/28/2014
 
The former CryptoLocker wannabe has netted 625,000 infected systems and more than $1 million in ransoms.
 CryptoWall might have been just a CryptoLocker wannabe a few months ago, but since CryptoLocker went down with the GameOver ZeuS ship in June, CryptoWall has taken its place as the top ransomware on the market, according to a new report.
Like similar ransomware, CryptoWall infects an endpoint, encrypts users' files, and demands payment from those who want access to those files. CryptoWall can get its hands on hard disks, removable drives, network drives, and even cloud storage services that are mapped to a targeted file system.
CryptoWall is neither as technologically sophisticated nor as profitable as CryptoLocker, but it has infected more systems, and it's earned a cool million for its operators so far. Dell SecureWorks' Counter Threat Unit says in a newthreat intelligence report that its researchers "consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing."
 
DarkReading/ full article here/ http://www.darkreading.com/cryptowall-more-pervasive-less-profitable-than-cryptolocker/d/d-id/1306813?
 
Userlevel 2
I recently had a customer infected with Cryptowall. He had AVG installed. That failed and there was nothing I could do. What seemed to remove the encryption virus that was consuming %100 of the hard disk was ComboFix. I would recomend using WSA with Crypoprevent if you are worried about being infected by any Crypovirus. This particular customer of mine lost everything. Serious stuff.

Reply