Ransomware Upgrades to V3.0

Monday, January 19, 2015 @ 12:01 PM gHale


CryptoWall ransomware underwent an upgrade and is now at version 3.0, which features localized ransom messages.

In addition to the new feature, researchers also found victims have a choice of several addresses which all lead to the decryption service located in the I2P anonymity network. I2P is another anonymity network, similar to Tor, where traffic ends up encrypted multiple times and directed through a series of proxies to conceal the identity of the user.

RELATED STORIES
Ransomware Goes 64-Bit
Ransomware Morphs into Other Forms
New Ransomware Uses Tor Network
Worm Holds Phone for Ransom

CryptoWall, also known as Crowti, is ransomware that includes file encryption capabilities. As soon as it executes on a compromised computer, it starts encrypting the data on it.

At the end of the operation, the victim gets a ransom message and instructions on how to pay in order to receive the key for unlocking the files. The fee is $500, payable in 168 hours since the encryption process completes, in bitcoin digital currency.

French malware researcher Kafeine, as well as researchers at Microsoft found Version 3.0 of the malware.

In a blog post, Kafeine said the communication with the command and control server uses the RC4 encryption algorithm and uses the I2P protocol.

Kafeine tested the new CryptoWall sample and noticed the proxies did not work, as there was an error message upon trying to connect. The returned message said the I2P website was unavailable due to different reasons (congested network or inability to connect to relay systems) and the user should repeat the operation.

However, the cybercriminals prepared for such scenarios and provided instructions on how to access the decryption service hidden in Tor anonymity network.

Microsoft researchers said CryptoWall 3.0 infected 288 unique machines in two days, January 11 and 12.

They added “CryptoWall 3.0 still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names:
• HELP_DECRYPT.HTML
• HELP_DECRYPT.PNG
• HELP_DECRYPT.TXT
• HELP_DECRYPT.URL

“The files still end up customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.”

A report in August 2014 from Dell SecureWorks Counter Threat Unit (CTU) found the cybercriminals behind the threat made more than $1.1 million over a six-month period (mid-March – August 2014) from 625,000 systems across the world.

CryptoWall has taken the place of CryptoLocker, which law enforcement authorities shut down last summer as part of an operation targeting the Gameover Zeus malware.



Leave a Reply

You must be logged in to post a comment.