This article is more than 1 year old

Cryptowall 4.0: Update makes world's worst ransomware worse still

Now you won't even know what files are encrypted

The fourth iteration of the world's worst ransomware Cryptowall has surfaced with gnarlier encryption tactics and better evasion tricks that have fooled current antivirus platforms.

Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of dollars in ransom payments made to criminals who have illegally encrypted valuable files.

The worst offenders remain at large including a single group who may be behind Cryptowall 3.0 and have made some US$325 million this year according to the Cyber Threat Alliance, dwarfing FBI June figures which noted it extorted some US$18 million from US victims alone in about a year.

Andra Zaharia of Denmark-based Heimdal Security says Cryptowall 4.0 is employing "vastly improved" communications and better code, so it can exloit more vulnerabilities.

"Cryptowall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities," Zaharia says.

"It includes a modified protocol that enables it to avoid being detected, even by second generation enterprise firewall solutions.

"This lowers detection rates significantly compared to the already successful Cryptowall 3.0 attacks."

For example, the nasty-ware now alters filenames as well as file contents, so it's harder for victims to work out what's been encrypted.

Ransom payments in the latest version are badged as a price tag for security software.

Net scum are still communicating with Cryptowall 4.0 over Tor and using hacked web pages to deliver payloads that include botnet componentry to assist further malware delivery.

Actors have tried various tactics to get ransomware on machines and thwart back up efforts.

One of the most unique was a variant that silently encrypted and decrypted databases on the fly in a bid to avoid detection. That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key.

Another revealed last week threatened user data would be published online if a ransom was not paid. There is no indication the Chimera ransomware lived up to that capability according to analysis.

It follows the death of the Coinvault and Bitcryptor ransomware which Kaspersky confirmed after the arrest of the alleged authors and release of all 14,000 decryption keys. ®

More about


Send us news

Other stories you might like