Ransomware CryptoWall 4.0 is Making Round on Internet - Experts

Darkreading.com reported on 5th November, 2015, quoting researchers of security firms Heimdal Security and BitDefender, as saying "A sweet-talking and silent new version of the CryptoWall ransomware, known as CryptoWall 4.0, is in the wild".

The previous version, CryptoWall 3.0 just came out in January, and Cyber Threat Alliance released figures in the last week revealing that it has already extracted $325 million from tens of thousands of victims throughout the world. CryptoWall 4.0 aims to better that performance.

Bitdefender says that the most significant change in the latest version of CryptoWall is that the threat does not only encrypt the content of the files, but it also encrypts the name of files making it almost impossible for victims to recognize them.

Updated ransom note is another interesting change in CryptoWall 4.0. The note contains new mocking language congratulating the victim for being part of the CryptoWall community, and the attackers have also allocated themselves a hashtag #CryptowallProject. Bitdefender speculates that the victims may use hashtag to commiserate on social media and if there is any type of volume, it may lead victims toward paying the ransom amount more rapidly.

Security researchers of Heimdal Security also identified some enormous improvements highlighting that the antivirus detection rates for the ransomware are presently very low.

CryptoWall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new variant possesses much improved capabilities to communicate. It includes a modified protocol which enables CryptoWall 4.0 to avoid being detected even by 2nd generation enterprise firewall solutions. Heimdal Security blogged that this reduces detection rates considerably as compared to the already successful CryptoWall 3.0 attacks.

Softpedia.com reported on 5th November, 2015, quoting Nathan Scott, an Independent Researcher, as saying "the same the same RC4 encryption for C&C communications and the same ransom payment domains and the same algorithm for generating unique MD5 hashes for identifying victims".

Scott added that attackers send the private key to most victims who decide to pay the ransom amount to restore their data, which is not always the case in operation by every ransomware.

Experts concluded that the only way to recover your data is to keep a complete backup.

» SPAMfighter News - 11/16/2015