Cryptowall 3.0 uses Tor and its little sister I2P to carry chatter between victims and controllers keeping it away from researchers and law enforcement, French anti-malware crusaders say.
"It seems communication with the C&C (command and control) are Rc4 encoded -- the key seems to be alpha-numerical sorted path of the POST -- and using I2P protocol," Kafeine wrote in his analysis.
"So they are sadly back and we can expect a lot of them in [developing] exploit kits, spam, and botnets."
The ransomware spiked in October, infecting 4000 machines. That's far less than the 625,000 victims of the preceding established Cryptowall variant over a five month period to August.
Cryptowall 3.0 (or Crowti) infections were big in Australia. Microsoft October 2014.
Cryptowall developers are thought not to have released a new binary in the ensuing two months.
The malware demanded victims pay US$500 in Bitcoins in order to have encrypted files unlocked, a feat achieved by bouncing them through Tor and onto the I2P network, according to Kafeine.
The anonymity networks are a favourite of criminals as a means to covertly send instructions and stolen data. Tor is commonly used, more so than I2P likely given its larger size, but some malware strains have been detected using the latter.
The most notable use of I2P for criminal enterprises was the re-emerged Silk Road Reloaded which rose from the ashes of the original drug marketplace that operated on a Tor hidden service before it was splattered by law enforcement.
It is yet to be seen if the new website is legitimate and can withstand technical and gumshoe law enforcement infiltration attempts.
Users should ensure their important data is backed up as decryption without payment often relied on capitalising on increasingly-rare encryption implementation errors. ®