{"id":18067,"date":"2015-11-05T12:55:35","date_gmt":"2015-11-05T19:55:35","guid":{"rendered":"https://www.webroot.com/blog/?p=18067"},"modified":"2018-01-30T11:56:52","modified_gmt":"2018-01-30T18:56:52","slug":"cryptowall-4-0-and-what-you-should-know","status":"publish","type":"post","link":"https://www.webroot.com/blog/2015\/11\/05\/cryptowall-4-0-and-what-you-should-know\/","title":{"rendered":"CRYPTOWALL 4.0 (updated)"},"content":{"rendered":"

We know that Cryptowall 3.0 has been hugely successful for the cybercriminals netting them nearly $325\u00a0million<\/a> in its debut year. With over 800 command and control URLs and over 400,000 attempted infections it is easily the most prolific threat of 2015.<\/p>\n

 <\/p>\n

\"cryptowall<\/a><\/p>\n

Here it is, what we’ve all been waiting for – the newest edition of Cryptowall. This ransomware comes out\u00a0with new\u00a0revisions almost as much as Apple does with iPhones. The bad news is that both will set you back $700.<\/p>\n

\n\t\t\t\t
\n\t\t\t\t\t
<\/div>
<\/div>
<\/div>
<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n

This is the locally saved html web page that it sends you to. If you don’t notice that, you’ll definitely notice that all your files have been encrypted and a new update is that the entire name of the file has been randomized so you no longer know which file is which. This is to create confusion on the severity of damage and increase the chance that you’ll pay out. As you can see from the first image they congratulate and welcome you to CryptoWall community – how nice<\/em>. The rest of the instructions are pretty standard on informing you how install a layered tor browser and then connect to the darknet to pay them and get your files back. Notice the additional information they have at the bottom:<\/p>\n

\"image2\"<\/a><\/p>\n

These guys actually claim that the CryptoWall is NOT malicious and not intended to harm your data “Together we make the Internet a better and safer place” – who are they fooling? Either way this is new and not seen on previous variants.<\/p>\n

On to the payment website and\u00a0and we can see they immediately want $700. It wasn’t even a year ago when the default payment was $300…<\/p>\n

\"payment\"<\/a><\/p>\n

There are some\u00a0new features like the a free decrypt which was first introduced by coinvault<\/a> that we discovered a while back. It obviously has helped convince people that the decryption routine is fairly easy\u00a0to get your files back and that the ransom is genuine and you will get your files back.<\/p>\n

We’re currently reversing the sample and will have a more in-depth writeup\u00a0of its infiltration,\u00a0payload\u00a0obfuscation, injection, and file encryption next week.<\/p>\n

MD5 analyzed:\u00a0E73806E3F41F61E7C7A364625CD58F65<\/p>\n

Additional MD5 seen:<\/p>\n

63358929C0628C869627223E910A21BF
\n5C88FCF39881B9B49DBD4BD3411E1CCF
\n32ACFA356104A9CE2403798851512654
\nCE38545D82858C7A7414B4BD660364A9
\n5384F752E3A2B59FAD9D0F143CE0215A
\nCF6D69E47B81FA744052DA33917D40F3
\n53C82D574E054F02B3163271262E0E74
\nA891CED376809CF05EFE4BB02EB2CBF3
\n5384F752E3A2B59FAD9D0F143CE0215A<\/span><\/p>\n

Webroot will catch this specific variant in real time before any encryption takes place. We\u2019re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post<\/a> on best practices for securing your environment against encrypting ransomware.<\/p>\n","protected":false},"excerpt":{"rendered":"

We know that Cryptowall 3.0 has been hugely successful for the cybercriminals netting them nearly $325\u00a0million in its debut year. With over 800 command and control URLs and over 400,000 attempted infections it is easily the most prolific threat of 2015.   Here it is, what we’ve all been waiting for – the newest edition […]<\/p>\n","protected":false},"author":21,"featured_media":16821,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4037,19153,19151,5595,13825,3985,5443,5435,3619,3483,3715,4211,19149,18245,3937,8015,3471,4161,3525,4369],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18067"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=18067"}],"version-history":[{"count":15,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18067\/revisions"}],"predecessor-version":[{"id":18111,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18067\/revisions\/18111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/16821"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=18067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=18067"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=18067"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=18067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}