A new version of CryptoWall arrived in the beginning of November. Some researchers immediately dubbed it CryptoWall 4.0, while others were more precautious and referred to it as to a ‘point release’. A couple of weeks later, all doubts evaporated. Security researchers have just confirmed that it is indeed CryptoWall 4.0. They have also unveiled that 4.0 is currently being distributed via the infamous Nuclear Exploit Kit.
Learn More about Exploit Kits:
Exploit Kit Attacks in 2015
Moreover, many AV engineers believe that CryptoWall 5.0 and 6.0 are currently being written. Ransomware is now seen not only as a highly damaging form of cybercrime but also as a form of a very successful software company. Or perhaps a malware enterprise?
New Information about CryptoWall 4.0
Earlier this week the SANS Internet Storm Center informed that an individual or a group of individuals is using domains that belong to the Chinese registrar BizCN to spread CryptoWall’s latest via the Nuclear EK. According to the security engineer Brad Duncan the ransomware’s 4th edition was initially spread via malicious spam and phishing emails. It is now the first time that CryptoWall 4.0’s distribution relies on an exploit kit.
Learn More more about CryptoWall 4.0:
CryptoWall 4.0’s technical description and removal
In a conversation with Threatpost, Brad Duncan says that:
“I’ve always expected 4.0 to spread and replace CryptoWall 3.0 in all areas. I noticed the same thing when CryptoWall 2.0 replaced the original CryptoWall in 2014. It didn’t happen immediately. It started with malicious spam and moved to exploit kits. As criminals start delivering CryptoWall 4.0 through exploit kits, it won’t immediately happen with all exploit kits at the same time. You’ll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version.”
The researcher has also discovered that the attack, launched from the BizCN domains, has recently switched the IP addresses for the gate domains. These domains serve as intermediary servers between the compromised websites and the server hosting the EK. The malicious actor behind the curtains of the operations is currently using the Nuclear Exploit Kit.
This is what Mr. Duncan says about the operation:
“Gate servers can check for operating system or browser type from the user agent string in the HTTP headers sent by a potential victim. Depending on the user agent string, the Gate server will respond accordingly. With the BizCN gates, when the OS is not Windows, the gate server will respond with a ‘404 not found’ (no need to waste resources on a host that’s not vulnerable). If the user agent string shows a Windows host, the gate server will return a 200 OK, which will then generate traffic to an EK server.”
For more information, you can refer to the detailed CryptoWall 4.0 analysis published by the SANS ISC.
CryptoWall 4.0 – What Should I Keep In Mind?
The updated version of CryptoWall has been observed to encrypt the names of the victim’s files – a procedure that will certainly confuse victims even more. Another peculiar thing about CryptoWall 4.0 is that its authors have now adopted a sense of humor. Yes, you read correctly. The updated CryptoWall 4.0’s message goes like that, making fun of users in quite the obvious manner:
‘Congratulations! You have now become a part of large community CryptoWall!’
Overall, the network traffic observed by Duncan looks almost identical to CryptoWall 3.0, with the only difference that an IP address check is not applied. He also adds that the snort-based signatures he has seen for CryptoWall 3.0 callback traffic are still valid for 4.0.
How Can I Remove CryptoWall 4.0 and Stay Protected?
Removing CryptoWall 4.0 is the easy part, as its encryption may be impossible to beat. However, we have still compiled a removal method followed by a decryption process.
Can I Restore Files Encrypted by CryptoWall 4.0?
Cryptowall’s encryption is considered to be near-impossible to decrypt. However, the good news is that it may have several different variants which may use different decryption methods that are easier to decrypt. You can give it a try following this article:
Restore Files Encrypted by RSA Encryption