CryptoWall 4.0 is a harder ransomware to protect against than its predecessor, CryptoWall 3.0, according to Heimdal Security. This is pretty serious news, considering CryptoWall 3.0 has raked in an estimated $325 million from hundreds of thousands of victims by demanding ransom payments in bitcoin since the ransomware debuted less than a year ago.
Andrfa Zaharia, a security and marketing/communication specialist at Heimdal Security, offers an overview on why the new strain is a more dangerous threat and offers some pointers on how to avoid becoming a victim. Following is a summary of this overview from the Heimdal blog.
The CryptoWall code has been enhanced in several ways. It includes an advanced malware dropper mechanism to avoid antivirus detection. It possesses improved communication capabilities, including a modified protocol enabling it to evade detection, even by second generation firewall systems. The code lowers detection rates significantly in comparison to CryptoWall 3.0.
Malware creators have additionally developed changes in the text method that is dropped on infected systems. The files are now referred to as:
An example of such a text is as follows:
\C: \ Documents and Settings \ User \ Desktop \ HELP_YOUR_FILES.TXT
The condescending message includes an FAQ directing answers to the victim.
CryptoWall 4.0 encrypts more than the data in the files; it also encrypts the file names. This technique confuses the victim further. It also enhances the pressure to retrieve the data faster. This raises the “success” ratio of the number of victims who see the message compared to the number who pay the ransom.
Cryptoware creators behave as if they run software firms. They enhance their code to make it more effective in finding vulnerabilities. They address IT security market trends in making the ransomware highly undetectable, and they use social and emotional triggers to enhance their return on investment.
What has stayed the same is that CryptoWall 4.0 still uses TOR to guide victims to make payments. This allows them to ransom their data by paying for a decryption key in a way that does not undermine the anonymity of attackers.
CryptoWall 4.0 also connects to a sequence of compromised web pages to download as pay onto the target system. The pages connect the infected system to a botnet and use it to spread malware to more computers.
The infrastructure is not changed from CryptoWall 3.0, and the antivirus detection for the new variant is very low.
CrytoWall 4.0 spreads by means of drive-by attacks and spam mail, its preferred main attack vectors due to the low cost.
Once data is encrypted, there is not much that can be done. Options include:
To prevent an infection, Heimdal recommends: