The next generation of CryptoWall malware emerges
After a short-lived hiatus, the creators of CryptoWall have re-emerged with the next generation of the devious malware, coined "CryptoWall 3.0". Just as security experts thought they had a handle on the original threat, the emergence of version 3.0 sparks debate as to what signals to look out for and how to protect against the rise of ransomware variants.
So what's new? Since making its debut last fall and wreaking havoc on thousands of businesses and individuals globally, CryptoWall is the biggest name in ransomware threats. Its predecessor, Cryptolocker, started the snowball effect in 2013 as one of the first ransomware strains to enter the marketplace.
The concept is simple: victims are infected with the CryptoWall malware by opening a malicious email attachment. Once on the system, CryptoWall encrypts the victims’ files and demands a $500 ransom for the files to be saved. Payment must be made within a seven-day period or the ransom will double.
Enter a new wave of the threat -- CryptoWall 3.0. First introduced mid-January 2015, this is a next-gen ransomware variant that is creating more opportunity for hackers as increased privileges and wider infections are more likely, given that the proliferation now uses exploit kits to help the ransomware once it’s on the machine.
Also, instead of relying on the TOR privacy network like previous versions of CryptoWall, an even more shadowy network known as the Invisible Internet Project (I2P) is introduced, which has security experts simultaneously trying to learn more about the threat while educating the public on prevention measures.
As an anonymity network, I2P is the channel through which communication is carried out between victims and controllers, keeping out law enforcement officials. Researchers believe a hybrid method is leveraged by cyber criminals so that if either TOR or the I2P networks are down, the malware is still fully functional and able to uphold communication between its command and control centers.
Additionally, the following new capabilities are included in CryptoWall 3.0:
- An ability to geolocate an affected system and display language-appropriate messages
- An extended ransom collection period
- Built-in virtual machine detection to help make sure the malware only hits legitimate systems, not testing environments
A Few Red Flags
While CryptoWall 3.0 is certainly shaking up the security landscape, there are a few red flags to look out for that remain consistent with the original CryptoWall threat, including:
- Files named HELP_DECRYPT in .txt, .html, .url, and .png formats
- The use of RSA2048 for the encryption algorithm
- Bitcoin for the accepted payment method
- Distribution methods that include drive-by-download and email dissemination
What to Expect Next
While security experts are keeping pace with emerging threats, one thing is for sure -- cyber hackers aren’t slowing down anytime soon. Security threats are on the rise, and it’s become critical that businesses and individuals alike become educated on prevention measures to best protect their assets from falling victim to rising security threats.
Paul Hanley is the Senior Partner Support Engineer at Intronis, a provider of backup and data protection solutions for small businesses. Paul is responsible for directly addressing partner’s technical product concerns and performing second and third-level support. He frequently writes knowledge-based articles for Intronis' software partners.