Security Experts:

CryptoWall 4.0 Released With Filename Encryption Feature

CryptoWall 4.0 has been released recently and the latest version of the notorious file-encrypting ransomware brings several notable changes.

According to Bitdefender, the most important change in the latest version of CryptoWall is that the threat doesn’t only encrypt the content of files, it also encrypts file names, which makes it nearly impossible for victims to recognize them.

Another interesting change in CryptoWall 4.0 is the ransom note, which now tells victims that the “CryptoWall Project” is not malicious. Bitdefender has pointed out that the new message is longer, but less alarming, and with a hint of irony.

“CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place,” the note reads.

Researchers at Heimdal Security also spotted some improvements designed to help the malware avoid detection. The security firm says antivirus detection rates are currently very low.

“CryptoWall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities. It includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions,” Heimdal Security said in a blog post. “This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks.”

Bitdefender told SecurityWeek that it first spotted the new malware on Wednesday. The security firm is still trying to determine the number of infections, but researchers don’t expect to see a high number of incidents considering that the threat only emerged recently.

The new version of the ransomware, which similar to previous versions has been distributed via spam emails, demands 1.83 Bitcoin, roughly $700, in return for the private key needed to decrypt the files. Victims are instructed to use the Tor anonymity network to pay the ransom.

Also similar to previous versions, the Decrypt Service website is used to make the payments, get a status on a payment, and even create support requests. Bitdefender says users can also decrypt one file for free, but recovering the most valuable file might be tricky now that file names are encrypted as well.

As for encryption, CryptoWall 4.0, like its predecessor, uses the RSA-2048 algorithm, which makes it nearly impossible to recover files without paying the cybercrooks.

Bleeping Computer reports that CryptoWall 4.0 is also similar to the previous major version when it comes to the use of RC4 encryption for command and control (C&C) communications, fingerprinting the victim’s device, and disabling services that could be used to recover encrypted files.

It’s worth pointing out that the new ransom note does not say the files have been encrypted by CryptoWall 4.0 like in the case of CryptoWall 3.0  it simply says CryptoWall. Bitdefender told SecurityWeek that it assigned the "4.0" to signal a new version of the threat. 

In a report released last week, the Cyber Threat Alliance revealed that a single entity is likely behind the many CryptoWall 3.0 campaigns. After analyzing the primary Bitcoin wallets used in these operations, researchers determined that the cybercriminals made more than $300 million.

While in many cases it’s impossible to recover files without paying the ransom, sometimes victims get lucky, assuming that they hold on to the encrypted files long enough. Kaspersky Lab and Dutch authorities joined forces earlier this year in an effort to help the victims of CoinVault and Bitcryptor ransomware. The security firm announced last week that it had obtained all 14,000 decryption keys needed to recover encrypted files.

*Updated with clarifications that attackers are not officially calling this CryptoWall 4.0

view counter