The CryptoWall ransomware has been an enormous threat for network administrators and PC users, ever since it was initially released because it encrypts the local data as well as data found on network shares. The new version of the ransomware, CryptoWall 2.0 is now improved, which makes it even more difficult for the user to recover the encrypted files without paying the ransom.
CryptoWall 2.0 – What’s New?
The cyber criminals use their own TOR gateways in the newest CryptoWall version. An individual wallet ID is sent to each separate victim instead of the previously used hard coded links that were the same for nearly all victims. Also, the original unencrypted files are now securely deleted.
Own TOR Gateways
The ransom payment servers of CyptoWall are located on TOR. This allows the ransomware creators to stay hidden from the authorities. For the user to be able to connect to the server, he needs to access the TOR network, and most users find it rather difficult to install TOR in the first place. That is why CryptoWall used a Web-to-TOR gateway which allowed the ransomware victims to access the payment server easily. As the providers of this gateway realized what was happening, they started to blacklist their payment servers so they won’t be used for malicious purposes. The new version of CryptoWall has now its own payment servers – pay2tor.com, tor4pay.com and pay4tor.com.
A Unique Wallet ID for Each Victim
The users who chose to pay the ransom are provided with an individual wallet ID that is unique for each victim. Initially, the users were not presented with this option, which allowed people to steal other user’s payment transactions and use it as their own ransom payments. The unique payment addresses for each victim this is not possible anymore.
The Original Unencrypted Files Are Being Securely Deleted
This is another new feature for the CryptoWall 2.0. In the previous version, the ransomware would encrypt the victim’s data files and then just delete the original ones. This made it possible for data recovery tools to restore the information that was encrypted. This method can no longer be applied as CryptoWall 2.0 securely deletes the victim’s data. This leaves the compromised user with two options only: either to restore the files from backups or to pay the required sum.
CryptoWall 2.0 Distributed Through the RIG Exploit Kit
Security Experts have recently observed hackers exploiting vulnerable WordPress links in order to redirect computer users to servers that are hosting the RIG Exploit Kit. The latter abuses a large number of vulnerabilities in unpatched Flash, Java and many other applications in order to drop the new version of the CryptoWall ransomware. According to Dynamoo’s Blog, the spammers behind this campaign are the same that distributed the recent eFax spam message, but this time they are delivering CryptoWall 2.0 instead. The same blog also reveals the following information:
- hxxp://220.127.116.11:8080 is the server hosting the RIG Exploit Kit.
- hxxp://18.104.22.168:8080/ord/rot.php is the exploit redirector.
- hxxp://22.214.171.124:8080/ord/ef.html is the spam reported by the blog.
The compromised WordPress links are known to contain this code:
var OSName=”Unknown OS”;
if (navigator.appVersion.indexOf(“Win”)!=-1) OSName=”Windows”; if (navigator.appVersion.indexOf(“Mac”)!=-1) OSName=”MacOS”; if (navigator.appVersion.indexOf(“X11″)!=-1) OSName=”UNIX”; if (navigator.appVersion.indexOf(“Linux”)!=-1) OSName=”Linux”; var1=112; var2=var1;
How to Remove CryptoWall 2.0 and Restore the Encrypted Files
Stage One: Remove CryptoWall 2.0
1. First and most important – download and install a legitimate and trustworthy anti-malware scanner, which will help you run a full system scan and eliminate all threats.
Spy Hunter system scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool
2. Run a second scan to make sure that there are no malicious software programs running on your PC. For that purpose, it’s recommended to download ESET Online Scanner.
Your PC should be clean now.
Stage Two: Restore the Encrypted Files
Option 1: Best case scenario – You have backed up your data on a regular basis, and now you can use the most recent backup to restore your files.
Option 2: Try to decrypt your files with the help of Kaspersky’s RectorDecryptor.exe and RakhniDecryptor.exe. They might help you in the process but keep in mind that they were not specially designed to encrypt information that was decrypted by this particular ransomware.
Option 3: Shadow Volume Copies
1. Install the Shadow Explorer, which is available with Windows Vista, Windows 7, Windows 8 and Windows XP Service Pack 2.
2. From Shadow Explorer’s drop down menu choose a drive and the latest date you would like to restore information from.
3. Right-click on a random encrypted file or folder then select “Export”. Select a location to restore the content of the selected file or folder.
Remove CryptoWall 2.0 Automatically with Spy Hunter Malware – Removal Tool.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter