A new and improved variant of the CryptoWall ransomware has been infecting computers worldwide in the past few days. O novo CryptoWall 3.0 uses a localized ransom message and passes traffic to a website where the victims can pay for the decryption key needed to unlock their files through Tor and I2P anonymous networks.
CryptoWall is a file-encrypting type of threat, which once activated on the infected machine encrypts certain files on it and demands a fine of $500 in order to provide the victim with the decryption key. The ransom is to be paid in Bitcoin digital currency in the first 168 horas.
|Pequena descrição||The user’s files are encrypted and unusable.|
|Os sintomas||A ransom note is displayed to the victim.|
|distribuição Método||Via malicious attachments.|
|Ferramenta de detecção||
See If Your System Has Been Affected by CryptoWall 3.0
Remoção de Malware Ferramenta
|Experiência de usuário||Participe do nosso fórum para discuss CryptoWall 3.0.|
The New Features of CryptoWall 3.0
New Tor to Web gateways are used by the new version of CryptoWall: torman2.com, torforall.com, torroadsters.com, and torwoman.com. Either one of them redirects the victim to the same web page containing the payment instructions, but the IDs for tracking the payments are unique.
The payment period is extended from five days to a whole week, after which the fee is raised to $1000.
The crooks have created additional files containing information about the payment and the restoring of the encrypted data:
- HELP_DECRYPT.HTML: uses your web browser to display information about the threat, encryption and payment methods
- HELP_DECRYPT.PNG: contains details about CryptoWall 3.0
- HELP_DECRYPT.TXT: the same as the previous one, but in plain text
- HELP_DECRYPT.URL: uses your current web browser to display the CryptoWall 3.0 Decrypt Service when Windows is loaded
O que aconteceu com seus arquivos?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
Mais informações sobre as chaves de criptografia usando RSA-2048 pode ser encontrada aqui: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
O que isto significa?
Isto significa que a estrutura e os dados dentro de seus arquivos foram irrevogavelmente mudou, você não será capaz de trabalhar com eles, lê-los ou vê-los, é a mesma coisa que perdê-los para sempre, mas com a nossa ajuda, você pode restaurá-los.
Como isso aconteceu?
Especialmente para você, on our server was generated the secret key pair RSA-2048 – público e privado.
Todos os seus arquivos foram criptografados com a chave pública, que foi transferido para o seu computador através da Internet.
Descriptografia de seus arquivos só é possível com a ajuda da chave privada e programa de descriptografar, que é em nosso servidor secreto.
O que eu faço?
ai, se você não tomar as medidas necessárias para o tempo especificado, em seguida, as condições para obter a chave privada será alterado.
Se você realmente valoriza os seus dados, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
Once the file-encryption process is over, the original files are deleted. In case you do not have a backup of your files, you could use reliable software to restore them or part of them from the Windows shadow copies. Below you will find detailed instructions on how to do so.
Connection to I2P Fails
The new version of CryptoWall has been detected by security experts at Microsoft and the French researcher Kafeine, who has reported that the communication with the C&C (Comando e controle) server is encoded with the RC4 algorithm and uses the I2P protocol.
As Kafeine tried to test the sample of the new threat, he received an error message every time he attempted to connect to the proxies. The notification, the researcher received, stated that the I2P website was not available due to various reasons – inability to connect to systems or congested network. The hackers seemed to be ready for cases like this one, because they have provided detailed instructions on how to gain access to the decryption service on the Tor network.
Cryptowall 3.0 New Distribution Methods (setembro 4, 2015)
How is Cryptowall 3.0 dropped onto the system?
Cryptowall ransomware has been around long enough for researchers to gather detailed information about its methods. The ransomware is distributed primarily via emails with .ZIP attachments. The latter contain executable files masqueraded as PDFs. The files in question can be any form of business communication such as:
- Purchase orders (POs)
Once the malicious PDF is launched, CryptoWall will be installed onto the system. The malicious files will be located in one of the two folders %Dados do aplicativo% ou %temp%. Então, the threat will start scanning the system’s drivers to find files to encrypt. All drive letters will be scanned, removal drives, network shares and Dropbox mapping included. Any drive letter on the infected system will be checked for data files.
Here is a list of all the locations where CryptoWall 3.0 may be situated:
- %Dados do aplicativo%
- %Dados do Programa%
Can I Find the Files Encrypted by CryptoWall 3.0?
Files encrypted by CryptoWall 3.0 will be stored together with their paths in the Windows Registry. The subkey location is in the following format:
→HKCU\Software\[unique computer ID]\[random ID]
An actual example looks like that:
The process will be repeated for every encrypted file under the mentioned key.
ListCwall can be used as well. It is a tool created by Bleeping Computer to automate the finding and exporting of the encrypted files. The tool can also backup the locked files to another location, in case the user needs to archive them and reformat the PC.
Além disso, here is a list with file extensions which CryptoWall 3.0 seeks to encrypt:
→ .3dm, .3ds, .3fr, .mcmeta, .vfs0, .mpqge, .kdb, .DB0, .dba, .rofl, .hkx, .Barra, .UPK, .o, .iwi, .litemod, .de ativos, .forja, .ltx, .BSA, .apk, .RE4, .sav, .lbf, .SLM, .bik, .epk, .rgss3a, .em seguida, .grande, carteira, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .TXT, .P7C, .P7B, .p12, .pfx, .estab, .crt, .cer, .o, .X3F, .SRW, .PFE, .ptx, .r3d, .RW2, .RWL, .cru, .raf, .ORF, .NRW, .mrwref, .mef, .erf, .kdc, .dcr, .CR2, .CRW, .baía, .SR2, .SRF, .ganho dia, .3fr, .DNG, .3g2, .3gp, .3por, .7de, .AB4, .ACCDB, .sql, .mp4, .7de, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .fecho eclair, .eles, .soma, .iBank, .t13, .t12, .QDF, .gdb, .imposto, .pkpass, .bc6, .BC7, .PKP, .QIC, .bkf, .SIDN, .são, .mddata, .itl, .ITDB, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .caso, .SVG, .mapa, .OMM, .ITM, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .NCF, .cardápio, .traçado, .dmp, .gota, .esm, .vcf, .VTF, .dazip, .fpk, .MLX, .KF, .IWD, .vpk, .tor, .psk, .aro, .w3x, .FSH, .NTL, .arch00, .lvl, .SNX, .cf., .ff, .vpp_pc, .LRF, .m2, .JPE, .jpg, .cdr, .indd, .para, .eps, .pdf, .PDD, .psd, .dbf, .mdf, .WB2, .rtf, .wpd, .dxg, .xf, .dwg, .PST, .ACCDB, .mdb, .pptm, .PPTX, .ppt, .XLK, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doutor, .odb, .episódio, .odm, .responder, .ods, .odt, .ACCDE, .accdr, .accdt, .mas, .acr, .Aja, .adb
User Behavior and Ransomware. Os golpes de phishing
What we described about the distribution methods so far can mean only one thing – the cyber criminals solely rely on the user’s interaction with malicious spam. The method is known as phishing – a form of social engineering often deployed to spread malware or collect user credentials. This is an exemplary email of how the scam may appear to users:
image Source: Symantec
Cryptowall Precautionary Tips
To bypass malicious infections, avoid downloading archive files such as .fecho eclair, .jarra, .leva, .7de, .msi, and executable/script files such as .com, .Exe, .scr, .bastão, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd. Always bear in mind that real companies would avoid sending such types of files, unless you had a previous arrangement set.
Além disso, you can use online website rating services such as Norton Safe Web to determine if a website is safe or unsafe to visit. With file-encrypting threats, the best precautionary advice is a very simple one. Back-up your files. Aways think of this, especially when your data is valuable and you keep a lot of business documents on your PC.
You can also check out the general precautionary tips we have on our forum about ransomware, which come full force for CryptoWall 3.0 também.
CryptoWall 3.0 can encrypt files on a network share in case it is mapped as a drive letter. If the network share is not mapped as such, CryptoWall 3.0 will not affect the files located there. To secure open shares, users can allow only writable access to the needed user groups or authorized users. The tip is quite important when it comes to threats such as CryptoWall.
Remover CryptoWall 3.0 e restaurar os arquivos criptografados
Follow the instructions provided below to remove all traces of this ransomware. Keep in mind that the best and most secure way to do that is by using a strong anti-malware program.