CryptoWall 4.0: Back With A Vengeance

If you’re a regular reader of this blog, you already know about the sinister form of malware known as ransomware and its incarnation, the infamous ‘CryptoWall’. CryptoWall and its predecessor, CryptoLocker, have been doing the rounds since 2013 and in that period, millions of computers have been infected, billions of files encrypted and millions of dollars extorted. CryptoWall is every business owner’s nightmare, and it is back with a vengeance in the form of CryptoWall 4.0.

CryptoWall 4.0 is a pimped up version of its earlier forms. The cybercriminals have reacted as expected and upped their game - the cyber war arms race escalates. The 4th version of the extortion malware is even more evil. Here are some of the new and “improved” features of this nasty piece of malware:

• It can use a technique called a ‘malware dropper app’ to trick you into installing the malware. This means that the malware essentially piggy backs onto your system via a more trusted app. An example of this was the NotFunny malware that was delivered as part of a Christmas ringtone from the Google Play network. Once you installed the ringtone, it also installed the malware.
• It uses a new protocol to prevent detection.
• It not only encrypts your files, but it also changes the file names to make it difficult for you to locate your files and work out what has been encrypted.
• It disables system restore, deletes shadow volume copies and turns off Windows Startup Repair.

All of the above are designed to make CryptoWall 4.0 even more successful than its predecessors.

The CryptoWall malware is still usually sent as an attachment in an email. Often disguised as a curriculum vitae, when opened it runs a set of JavaScript files, which download the ransomware and execute it on your system.

There have also been some changes to the way the cybercriminals behind CryptoWall are presenting themselves. For example, in the screen presented to the victim of the encrypted data, the perpetrators describe themselves as if they are a helpful computer security researcher, the victim being now part of a ‘CryptoWall community’ and that they are doing this in the interests of ‘security research’. They even state that CryptoWall “…is not intended to harm a person and his/her information data.” They also offer online support and one free decryption; they are turning ransomware into a well-oiled machine and a lucrative one at that. This is all a bit rich coming from a group that then go on to tell you if you don’t pay hundreds of dollars within x number of days that you won’t get your data back. It seems the cybercriminal network behind CryptoWall has become extremely confident, even arrogant.

The problem that we have as business owners is that the people behind CryptoWall have turned their beady eyes on the small - medium organization. SMBs were targeted more than any other sized organization or individual in 2015. In June-July this year, for example, 67.23% of CryptoWall related emails were found in the SMB sector.

The best way to avoid the devastation of a CryptoWall infection is to simply not get infected. If you do, it’s a case of hoping you have a backup that wasn’t affected by the malware (some backup systems are) or pay the ransom – which, of course, is no guarantee that you will actually get your files back again, we are dealing with criminals after all.

Prevention, in the case of CryptoWall, is better than cure. Firstly, you need to make sure you educate your users about the type of emails that may contain the malware. Secondly, make sure you have security software in place that can handle such stealthy threats. This entails using threat monitoring like the Carbon Black security intelligence system, which can spot a ransomware threat and send out an alert before it reaches your network.

Stay safe and stay ransomware free.

Latest Crypto Behaviour