CryptoWall v4.0 released: Now encrypts the file names as well


Userlevel 7
Badge +54
Just the news I don't think anyone wants.
 
Posted by Stu Sjouwerman on Nov 4, 2015
 
Lawrence Abrams from the famous bleepingcomputer site wrote at Spiceworks:
"CryptoWall 4.0 has been released that displays a redesigned ransom note, new filenames, and now encrypts a file's name along with its data. We were alerted to this new variant by various members who have posted about being infected by what was being called the help_your_files ransomware.  Once we were able to analyze a sample, though, it was quickly determined that this was in fact a new version of CryptoWall."  This is a screenshot from their site that shows what it looks like: 
 


 
In summary, the new v4.0 release now encrypts file names to make it more difficult to determine important files, and has a new HTML ransom note that is even more arrogant than the last one. 
 
Full Article
 

30 replies

Userlevel 7
Well, to be expected and I am sure that the Webroot Threat Researchers are on the case as we speak...;)
Userlevel 7
Badge +56
Good analysis of the ransomware here:
http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/
Userlevel 7
Badge +54
They are the ones who discovered it Nic 😉
Userlevel 7
Badge +56
Ah, good to know - that was the article that Stu's article references?
Userlevel 7
Badge +54
Yes, that is the one.
Userlevel 7
Badge +56
Analysis from our own threat research team here at Webroot: http://www.webroot.com/blog/2015/11/05/cryptowall-4-0-and-what-you-should-know/
Badge +8
@ wrote:
Analysis from our own threat research team here at Webroot: http://www.webroot.com/blog/2015/11/05/cryptowall-4-0-and-what-you-should-know/
Thank you so much @ it is nice to know we're in good hands 😃 I am very grateful for selecting Webroot.
T
Userlevel 7
Badge +56
You're welcome - yeah our threat team is always on top of the latest malware!
Userlevel 7
Badge +54
November 9, 2015  By Pierluigi Paganini
 

Security experts at Bitdefender speculate that the newborn Cryptowall 4.0 has a Russian origin. The company released a vaccine software.

 
Security experts at Bitdefender seem to have no doubt, the authors of the last variant of the popular Cryptowall ransomware, Cryptowall 4.0 are Russians. The experts came to this conclusion through evidence collected during their investigations, for example, the servers used for spamming the threat are located in Russia, and the Javascript used as a vector downloads the CriptoWall 4.0 payload from a Russian server.
 
The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.
 
The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.
 
Full Article
Userlevel 7
Well, doh...of course it most likely comes from Russia or at least Russia has to be high on the list of possible candidates (and I am not being racist here...there are a lot of supremely able coders over there...in some cases more so than over here...and unfortunately they turn their undoubted talnet to the nefarious rather then the benficient :().
 
 
 
 
Userlevel 7
Badge +6
Just read on the SW forums that Bitdefender claims to have code that can imunize your computer against Cryptowall.
I'm kind of sceptic against it. But here's a bit of an article straight from the Bitdefender pages for everyone to disect & make up their own mind
 
Russian Hackers are Behind Cryptowall 4.0; Bitdefender Creates VaccineCryptowall 4.0 spam servers are located in Russia, according to The Javascript-written malware downloads the CriptoWall component from a Russian server.The investigation also reveals the encryption algorithm used is AES 256. The key is encrypted using RSA 2048, most likely because this second algorithm is resource-intensive.Targeted countries we have identified so far include: France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines. Russian users seem to be safe. The malware doesn’t proceed with the encryption process if it detects Russian as a keyboard language.How to prevent getting infectedFollowing the footsteps of its predecessors, CryptoWall has become a financial success for its creators. Recent numbers show that inflicted an estimated $325 million in damages in the US alone. Its high turnaround prompted other cybercriminal groups to write new code that uses more sophisticated encryption algorithms. Therefore, it’s becoming harder for AV vendors to crack the code and come up with a solution.To stop the spread of this threat, Bitdefender anti-malware experts have developed an antidote, a piece of software that allows users to immunize their computers and block file encryption attempts.Please remember that this tool acts as an extra layer of protection, together with your anti-malware solution. If your computer is already infected with CryptoWall 4.0, the vaccine will not help disinfect it. The tool should be installed and used as a proactive measure against this specific strain of ransomware. 
 
I'm not posting this article to promote non Webroot related articles. My purpose is to spark a discussion and maybe see if Webroot has any plans with it to do something similar because "In the Root we trust"  :D
 
 
 
Userlevel 7
Badge +6
@ wrote:
Well, doh...of course it most likely comes from Russia or at least Russia has to be high on the list of possible candidates (and I am not being racist here...there are a lot of supremely able coders over there...in some cases more so than over here...and unfortunately they turn their undoubted talnet to the nefarious rather then the benficient :().
 
 
 
 
@ don't forget the chinese hackers. The Chinese government has an entire army of cyber warriors at its disposal although they will not officially acknowledge that.
It's great to chit chat about this new virus but what can we do to protect ourselves?  My husband's computer was hit by the first one and none of the Webroot programers who tried to fix and/or recover the photos were able to do anything.  The computer hasn't worked right since.
Userlevel 7
Hi rjjin
 
Welcome to the Community Forums.
 
Whilst in general WSA should protectone from ransomeware it is an ever changing battle between the Good side & Dark side of the Force; sometimes Webroot are ahead but just occassionally the malware writers get the upper hand for a while...and then some get infected. It is a tireless battle that iw waged away from our eyes.
 
The only way to guarantee or better guarantee that nothin will get through is to go for a layered defence; i.e., WSA plus some other specific anti executable or anti ransomeware application.
 
But it is good to remember that in the very vast majority of cases this will be unnecessary as WSA will have your back and also running additional security apps may limit what you can do on your system/require you to respond to messages when legitinate applications you want to use are blocked by mistake.
 
In short there is no simple answer.
 
Hope that helps?
 
Regards, Baldrick 
Hello @
 
Welcome to the Webroot Community.
 
I was just wondering, because I too am very concerned about the CryptoLocker/CryptoWall virus, did you have Webroot installed when this happened to you or was it installed afterward to try and reverse the effects of it?
 
From what I understand Webroot does protect users from this. However, if you were one of the first to become infected when the virus first emerged then perhaps Webroot hadn't added protection from it yet? 
 
The key for all of us, to limit the exposure to this nasty piece of malware, is to perform routine backups to either the cloud, or to a backup drive that is not always connected, but only connected when backing up.
 
Again, sorry to hear about your troubles. Perhaps a clean install of Windows will allow you to use your husband's computer again.
 
bd
Thanks - Yes, we've had Webroot installed for several years now. That's why I was so surprised when it got infected. We weren't one of the first because I had heard of it for quite a while before it got infected.

I'm not a programmer so when everyone starts talking about who did it and how good they are at being bad it's a bit frustrating. I would like to be protected without having to be a programmer to keep our stuff safe.
Userlevel 7
@ wrote:
Thanks - Yes, we've had Webroot installed for several years now. That's why I was so surprised when it got infected. We weren't one of the first because I had heard of it for quite a while before it got infected.

I'm not a programmer so when everyone starts talking about who did it and how good they are at being bad it's a bit frustrating. I would like to be protected without having to be a programmer to keep our stuff safe.
Hi rjjin
 
I completely understand but as I said before there is no such thing as 100% protection, even from WSA.  I am sorry to say that you were unlucky and that most are protected...which does not help or make you feel any better, I know. But if you want to be as foolproof as possible then go the 'layered defence' route.
 
That is my recommendation.
 
Regards, Baldrick
Userlevel 7
Badge +7
I believe in Webroot and I know they are doing their best to protect us and keep up with the bad guys as much as humanly possible.
 
Let them encrypt to their little hearts content.
 
I have 3 image backups each day, one online and two offline.  I also sync important files and directories each day to the same online and offline areas.  If I get something that I can;t afford to lose I sync it immediately to those three areas.
 
So let them have their fun. 
 
Dave
Userlevel 7
Indeed, Dave
 
I am with you on that but not everyone images their discs like we do and for them a layered defence is the next best thing is they feel they need/want a bit more protection.
 
And we have to stress that images and not backups are the way to go as backups can also end up getting encrypted, so negating their usefulness.
 
But ultimately the only 100% way of makeing sure they cannot get you is the old 'air gap' with the internet...not that this is in anyway practical. ;)
 
Regards, Baldrick
Userlevel 7
Badge +7
Hi Baldrick,
Of course you are right. 
 
I was just taunting them a bit.  Because of the safeguards that I have in place I just don't worry about Crypto, virus, or any other malware. 
 
It only takes a short time to image or restore from image and syncing is a lighting fast way to secure files.
 
Regards,
Dave
@ wrote:
 
I
And we have to stress that images and not backups are the way to go as backups can also end up getting encrypted,...
I guess were talking symantics here. My "Backups" contain complete images as well as individuall files. In my case I was just using Backup as a general term here. ;)
 
bd
When a computer becomes infected with ransomware, after receivving the release money,  in what form does the bad guy release the files?  Do they transmit a key for the victim to enter or do they transmit some sort of release directly to the infected machine? 
If it is the former, why haven't we seen any publicity as to what the key was that they sent?  Are you folks working on a hack of their release systgem?
Userlevel 7
Badge +56
Each key is unique - they send you the key and then you enter that to decrypt your files.

In one case the police caught a ransomware ring and put all the keys online for people to look up if they were affected, but that only worked for people who'd been encrypted before this particular ring was caught.
What is a layered defense?
Userlevel 7
Hi kpape
 
Welcome to the Community Forums.
 
A 'layered defence', in very simplistic terms, is where one runs more than one security apps on one's system, either apps that do the same thing or apps that complement each other...the idea being that if one app does not stop/intercept the malware then the other(s) will.
 
Now, to actually set such a defence up requires some knowledge and guidance as for instance in most cases one should never run two firewalls on the same system (WSA's & Windows Firewall being an exception). Also, some security apps do not play well or tolerate the presence of another (unlike WSA which is designed to be compliant/complementary to other security apps if so required...but is wholly capable on its own).
 
So it is about blending various security apps to provide as impenetrable a barrier to malware as possible. As another example a lot of security experts recommend that one runs an anti-exploit apps as well as an anti virus or Internet security suite because the anti exploit app will specialise in the protections from exploits which in themselves are a specialised form of malware, etc.
 
No easy answer and it will take some time to work out what is wright for one in terms of the sort of protection one wnats and needs.
 
Hope that helps?
 
Regards, Baldrick

Reply