SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
9 Nov 2015

New CryptoWall released with filename encryption feature

BleepingComputer.com's editor Lawrence Abrams is reporting that a new version of the Cryptowall ransomware has been released, and has released details of why it's more of a threat than ever before.

Reporting on a new strain of Cryptowall, the ransomware trojan, BleepingComputer.com's editor Lawrence Abrams has reported on why the new version is more powerful than before and poses a security threat that at present has no resolution.

Abrams became aware of the new Cryptowall variant when looking into cases where people reported they had been infected by what was called the help_your_files ransomware. He quickly determined that this was in fact a new version of CryptoWall. According to Abrams, one of the biggest changes is that when the files are encrypted, the file names are encrypted, too, with names like 27p9k967z.x1nep or 9242on6c.6la9. This is presumably to frustrate those infected even more, not being able to know what data they should be saving.

The other major change is a redesign of the HTML ransom note along with changing its name to help_your_files.html. Abrams reports a general sense of arrogance in the wording that is meant to even further annoy infected users and push them into paying the ransom.

CryptoWall continues to be distributed via email attachments. Abrams reported that in the infections analysed, the file was pretending to be a CV inside a zipped e-mail attachment. The CV sent however, is actually a collection of JavaScript files that when executed would download an executable, save it to the Windows %Temp% folder, and then execute it.

Once active, CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume copies, and use bcdedit to turn off Windows Startup Repair. It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives. Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

Some quotes from the ransom notes:

Cannot you find the files you need?
Is the content of the files that you have watched not readable?
It is normal because the files' names, as well as the data in your files have been encrypted.
Congratulations!!!
You have become a part of large community CryptoWall.
CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.
Together we make the Internet a better and safer place.

The Decrypt Service site is still alive in version 4.0 of the malware. From there a victim can make payments, find out the status of a payment, get one free decryption, and create support requests. At present, there is no way to recover files without restoring from a backup or paying the ransom. David Emm, Principal Security Researcher at Kaspersky Lab commented: "Given that ransomware offers such a lucrative return on investment for cyber-criminals, the appearance of CryptoWall 4.0 isn't surprising. At Kaspersky Lab, we have seen a growth in this sort of malware, including mobile ransomware programs.

"In addition to blocking ransomware, we work with law enforcement agencies to help them in their efforts to thwart ransomware campaigns. Take, for instance, the recent take down of CoinVault. "The Police arrested the authors of the botnet, and Kaspersky Lab made available a free tool that enabled victims to decrypt their data."

Emm said Kaspersky would always provide detection for such programs and, where possible, decrypt data. "However, it's vital that businesses and individuals backup regularly, to avoid the risk of losing data. When it comes to the question of paying the ransom, we would recommend not doing so for a couple of reasons. Firstly, there's no guarantee that the criminals will provide decryption keys, and secondly, it validates their business model and encourages the creation of new campaigns," he said.

Tags:
Cryptowall information leaks fraud
Source:
SC Magazine
2084
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015