CryptoWall 4.0 Distributed via Nuclear EK, BizCN Gate Actor - How to, Technology and PC Security Forum |

CryptoWall 4.0 Distributed via Nuclear EK, BizCN Gate Actor

cryptowall-4 0 -sensorstechforumA new version of CryptoWall arrived in the beginning of November. Some researchers immediately dubbed it CryptoWall 4.0, while others were more precautious and referred to it as to a ‘point release’. A couple of weeks later, all doubts evaporated. Security researchers have just confirmed that it is indeed CryptoWall 4.0. They have also unveiled that 4.0 is currently being distributed via the infamous Nuclear Exploit Kit.

Learn More about Exploit Kits:
Exploit Kit Attacks in 2015

Moreover, many AV engineers believe that CryptoWall 5.0 and 6.0 are currently being written. Ransomware is now seen not only as a highly damaging form of cybercrime but also as a form of a very successful software company. Or perhaps a malware enterprise?

New Information about CryptoWall 4.0

Earlier this week the SANS Internet Storm Center informed that an individual or a group of individuals is using domains that belong to the Chinese registrar BizCN to spread CryptoWall’s latest via the Nuclear EK. According to the security engineer Brad Duncan the ransomware’s 4th edition was initially spread via malicious spam and phishing emails. It is now the first time that CryptoWall 4.0’s distribution relies on an exploit kit.

Learn More more about CryptoWall 4.0:
CryptoWall 4.0’s technical description and removal

In a conversation with Threatpost, Brad Duncan says that:

“I’ve always expected 4.0 to spread and replace CryptoWall 3.0 in all areas. I noticed the same thing when CryptoWall 2.0 replaced the original CryptoWall in 2014. It didn’t happen immediately. It started with malicious spam and moved to exploit kits. As criminals start delivering CryptoWall 4.0 through exploit kits, it won’t immediately happen with all exploit kits at the same time. You’ll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version.”

The researcher has also discovered that the attack, launched from the BizCN domains, has recently switched the IP addresses for the gate domains. These domains serve as intermediary servers between the compromised websites and the server hosting the EK. The malicious actor behind the curtains of the operations is currently using the Nuclear Exploit Kit.

This is what Mr. Duncan says about the operation:

“Gate servers can check for operating system or browser type from the user agent string in the HTTP headers sent by a potential victim. Depending on the user agent string, the Gate server will respond accordingly. With the BizCN gates, when the OS is not Windows, the gate server will respond with a ‘404 not found’ (no need to waste resources on a host that’s not vulnerable). If the user agent string shows a Windows host, the gate server will return a 200 OK, which will then generate traffic to an EK server.”

For more information, you can refer to the detailed CryptoWall 4.0 analysis published by the SANS ISC.

CryptoWall 4.0 – What Should I Keep In Mind?

The updated version of CryptoWall has been observed to encrypt the names of the victim’s files – a procedure that will certainly confuse victims even more. Another peculiar thing about CryptoWall 4.0 is that its authors have now adopted a sense of humor. Yes, you read correctly. The updated CryptoWall 4.0’s message goes like that, making fun of users in quite the obvious manner:

‘Congratulations! You have now become a part of large community CryptoWall!’

Overall, the network traffic observed by Duncan looks almost identical to CryptoWall 3.0, with the only difference that an IP address check is not applied. He also adds that the snort-based signatures he has seen for CryptoWall 3.0 callback traffic are still valid for 4.0.

How Can I Remove CryptoWall 4.0 and Stay Protected?

Removing CryptoWall 4.0 is the easy part, as its encryption may be impossible to beat. However, we have still compiled a removal method followed by a decryption process.

1. Boot Your PC In Safe Mode to isolate and remove

1. Boot Your PC Into Safe Mode

1. For Windows 7,XP and Vista. 2. For Windows 8, 8.1 and 10.

For Windows XP, Vista, 7 systems:

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.


For PCs with multiple operating systems: Òhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.


3. As the “Advanced Boot Options” screen appears, select the Safe Mode with Networking option you want using the arrow keys. As you make your selection, press “Enter“.

4. Log on to your computer using your administrator account


While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

Step 1: Open the Start Menu


Step 2: Whilst holding down Shift button, click on Power and then click on Restart.
Step 3: After reboot, the aftermentioned menu will appear. From there you should choose Troubleshoot.


Step 4: You will see the Troubleshoot menu. From this menu you can choose Advanced Options.


Step 5: After the Advanced Options menu appears, click on Startup Settings.


Step 6: Click on Restart.

Step 7: A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart.

2. Remove with SpyHunter Anti-Malware Tool

2. Remove with SpyHunter Anti-Malware Tool

1. Install SpyHunter to scan for and remove .2. Scan with SpyHunter to Detect and Remove .
Step 1:Click on the “Download” button to proceed to SpyHunter’s download page.

It is highly recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.

Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to automatically update.


Step1: After the update process has finished, click on the ‘Scan Computer Now’ button.
Step2: After SpyHunter has finished scanning your PC for any files, click on the ‘Fix Threats’ button to remove them automatically and permanently.
Step3: Once the intrusions on your PC have been removed, it is highly recommended to restart it.

3. Back up your data to secure it against infections and file encryptions by in the future

3. Back up your data to secure it against attacks in the future

Security engineers recommend that you back up your files immediately, preferably on an external memory carrier in order to be able to restore them. In order to protect yourself from (For Windows Users) please follow these simple steps:

1. For Windows 7 and earlier 1. For Windows 8, 8.1 and 10 1. Enabling the Windows Defense Feature (Previous Versions)

1-Click on Windows Start Menu
2-Type Backup And Restore
3-Open it and click on Set Up Backup
4-A window will appear asking you where to set up backup. You should have a flash drive or an external hard drive. Mark it by clicking on it with your mouse then click on Next.
5-On the next window, the system will ask you what do you want to backup. Choose the ‘Let Me Choose’ option and then click on Next.
6-Click on ‘Save settings and run backup’ on the next window in order to protect your files from possible attacks by .

1-Press Windows button + R
2-In the window type ‘filehistory’ and press Enter
3-A File History window will appear. Click on ‘Configure file history settings’
4-The configuration menu for File History will appear. Click on ‘Turn On’. After its on, click on Select Drive in order to select the backup drive. It is recommended to choose an external HDD, SSD or a USB stick whose memory capacity is corresponding to the size of the files you want to backup.
5-Select the drive then click on ‘Ok’ in order to set up file backup and protect yourself from .

1- Press Windows button + R keys.
2- A run windows should appear. In it type ‘sysdm.cpl’ and then click on Run.
3- A System Properties windows should appear. In it choose System Protection.
5- Click on Turn on system protection and select the size on the hard disk you want to utilize for system protection.
6- Click on Ok and you should see an indication in Protection settings that the protection from is on.
Restoring a file via Windows Defense feature:
1-Right-click on the encrypted file, then choose Properties.
2-Click on the Previous Versions tab and then mark the last version of the file.
3-Click on Apply and Ok and the file encrypted by should be restored.

Can I Restore Files Encrypted by CryptoWall 4.0?

Cryptowall’s encryption is considered to be near-impossible to decrypt. However, the good news is that it may have several different variants which may use different decryption methods that are easier to decrypt. You can give it a try following this article:

Restore Files Encrypted by RSA Encryption

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share