Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CryptoWall 4.0 Released With Filename Encryption Feature

CryptoWall 4.0 has been released recently and the latest version of the notorious file-encrypting ransomware brings several notable changes.

CryptoWall 4.0 has been released recently and the latest version of the notorious file-encrypting ransomware brings several notable changes.

According to Bitdefender, the most important change in the latest version of CryptoWall is that the threat doesn’t only encrypt the content of files, it also encrypts file names, which makes it nearly impossible for victims to recognize them.

Another interesting change in CryptoWall 4.0 is the ransom note, which now tells victims that the “CryptoWall Project” is not malicious. Bitdefender has pointed out that the new message is longer, but less alarming, and with a hint of irony.

“CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place,” the note reads.

Researchers at Heimdal Security also spotted some improvements designed to help the malware avoid detection. The security firm says antivirus detection rates are currently very low.

“CryptoWall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities. It includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions,” Heimdal Security said in a blog post. “This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks.”

Bitdefender told SecurityWeek that it first spotted the new malware on Wednesday. The security firm is still trying to determine the number of infections, but researchers don’t expect to see a high number of incidents considering that the threat only emerged recently.

The new version of the ransomware, which similar to previous versions has been distributed via spam emails, demands 1.83 Bitcoin, roughly $700, in return for the private key needed to decrypt the files. Victims are instructed to use the Tor anonymity network to pay the ransom.

Also similar to previous versions, the Decrypt Service website is used to make the payments, get a status on a payment, and even create support requests. Bitdefender says users can also decrypt one file for free, but recovering the most valuable file might be tricky now that file names are encrypted as well.

As for encryption, CryptoWall 4.0, like its predecessor, uses the RSA-2048 algorithm, which makes it nearly impossible to recover files without paying the cybercrooks.

Bleeping Computer reports that CryptoWall 4.0 is also similar to the previous major version when it comes to the use of RC4 encryption for command and control (C&C) communications, fingerprinting the victim’s device, and disabling services that could be used to recover encrypted files.

It’s worth pointing out that the new ransom note does not say the files have been encrypted by CryptoWall 4.0 like in the case of CryptoWall 3.0  it simply says CryptoWall. Bitdefender told SecurityWeek that it assigned the “4.0” to signal a new version of the threat. 

In a report released last week, the Cyber Threat Alliance revealed that a single entity is likely behind the many CryptoWall 3.0 campaigns. After analyzing the primary Bitcoin wallets used in these operations, researchers determined that the cybercriminals made more than $300 million.

While in many cases it’s impossible to recover files without paying the ransom, sometimes victims get lucky, assuming that they hold on to the encrypted files long enough. Kaspersky Lab and Dutch authorities joined forces earlier this year in an effort to help the victims of CoinVault and Bitcryptor ransomware. The security firm announced last week that it had obtained all 14,000 decryption keys needed to recover encrypted files.

*Updated with clarifications that attackers are not officially calling this CryptoWall 4.0

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.