Connect with us

Hi, what are you looking for?



CryptoWall 4.0 Spreading via Nuclear Exploit Kit

The CryptoWall 4.0 ransomware is being spread via exploit kits, with the Nuclear exploit kit (EK) being the first major crimekit to infect machines with this type of malware, Rackspace security researcher Brad Duncan has discovered.

The CryptoWall 4.0 ransomware is being spread via exploit kits, with the Nuclear exploit kit (EK) being the first major crimekit to infect machines with this type of malware, Rackspace security researcher Brad Duncan has discovered.

In a blog post published by the SANS Internet Storm Center, Duncan explains that the “BizCN gate” actor has started sending CryptoWall 4.0 payloads from the Nuclear EK on Friday, November 20. The BizCN gate actor has been known to distribute malware via the Nuclear EK, but started using CryptoWall only on November 19, when the ransomware in the payload was at version 3.0.

CryptoWall 4.0 was spotted for the first time in early November, less than a year after its predecessor made a debut on the malware scene. The updated threat encrypts not only the content of the files on infected machines, but also file names, which prevents victims from recognizing them, while also featuring an updated ransom note, which claims that the CryptoWall Project is not malicious.

In early November, researchers at Heimdal Security reported that CryptoWall 4.0 () includes advanced malware dropper mechanisms and improved communication capabilities, such as a modified protocol that enables it to avoid detection. Similar to previous versions, it uses the Decrypt Service website for payments, and asks victims to pay 1.83 Bitcoin, roughly $700, for the private key to decrypt their files.

Until now, CryptoWall 4.0 has been spreading through spam emails, and this is the first time it has been spotted in an exploit kit. However, considering that CryptoWall 3.0 has been spreading through Nuclear, Angler, and other exploit kits, chances are that the actors behind them will start including CryptoWall 4.0 among their malicious payloads in the near future.

According to Duncan, the BizCN gate actor currently spreading the ransomware via Nuclear EK has recently switched IP addresses from the block (Germany – TK Rustelekom LLC) to (Ukraine – PE Fesenko Igor Mikolayovich). He also notes that injected script pointing at to the BizCN-registered gate can be observed on the pages of compromised websites.

He explains that URL patterns in HTTP GET requests are distinctive, and that HTTP GET requests to the gate domain return javascript that was sent sent gzip-compressed. By analyzing the payload, traces of Nuclear EK were found, and Duncan says that the EK exploits a flash vulnerability on the website to successfully infect Windows hosts.

Advertisement. Scroll to continue reading.

The researcher also discovered that the version of CryptoWall sent by the BizCN gate actor differs from other instances of the malware and that it looks like an NSIS installer, placing custom artifacts in the infected user’s AppDataLocalTemp directory.

While CryptoWall 4.0 has been noticed only in Nuclear EK and is associated only with the BizCN gate actor as of now, Duncan expects it to appear in other EKs soon. He also notes that BizCN might change tactics, in an attempt to go undetected, though the researcher is certain that the gate actor can be found again, unless it initiates a drastic change.

In late October, the Cyber Threat Alliance said in a report that CryptoWall 3.0 campaigns appear to be initiated by a single entity. They also noted that the primary Bitcoin wallets used in these operations pointed at the fact that the masterminds behind the malware made more than $300 million.

In June, FBI estimated that over 992 CryptoWall-related complaints received between April 2014 and June 2015 resulted in more than $18 million in losses.

Related: CryptoWall 4.0 Released With Filename Encryption Feature

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...