Why CryptoWall 4.0 Ransomware Update Makes It More Difficult to Recover Encrypted Data

Ransomware has undoubtedly been a major thorn in the side of victimized computer users who have had their personal and system files encrypted only to pay up a hefty fee for decryption of such files. Among recent ransomware, some stand out above others, such as CryptoWall, which has recently received an updated to now have the ability to encrypt file names, in addition to the actual files.

What is being dubbed as CryptoWall 4.0 Ransomware, is a newer variation of CryptoWall that is more powerful than before and has a means of encrypting file names permanently.

CryptoWall 4.0 Ransomware was discovered by BleepingComputer.com's editor, Lawrence Abrams, reporting details on how it is a threat that more powerful than ever before in the scope of crypto-type ransomware threats. According to Abrams, CryptoWall 4.0 Ransomware has the added ability to not only encrypt files, but it can now encrypt the names, too.

In the case of CryptoWall 4.0, ransomware propagation it is now taking files and encrypting them and then changing the name to read something like "94331on4a.42a8" where its name is now a series of random characters instead of anything identifiable. By encrypting the name of already-encrypted files, computer users will have no clue on how to identify certain files, let alone know how to decrypt or restore them.

Distribution methods for CryptoWall 4.0 continue to thrive through zipped spam email attachments. The file contained within the zipped file is claimed as a resume, which is a JavaScript file that when executed it will download an executable file saved in the Temp folder. The processes from the CrytoWall 4.0 infection communicates with Command & Control Servers then later creates a victim's unique identifier from the MD5 hash of the infected computer's name, OS version, processor information, and volume serial number data. Much like previous iterations of CryptoWall, version 4.0 will inject itself into Explorer.exe and disable the System Restore functions as well as Windows Startup Repair. Essentially, any method that may interrupt CryptoWall 4.0's ability to perform its malicious activities is put to a stop so it may carry on with encrypting files.

Other notable changes within CryptoWall for its 4.0 version update is a redesign of the HTML ransom note and changing its name to help_your_files.html. Not only will these actions further annoy computer users and some computer security researchers, but it will often leave them no choice but to consider the encrypted file or files a complete loss. The decrypt services for CryptoWall 4.0 mostly remain the same with the obvious change to it having the ability to encrypt file names.

There are several Decrypt Service sites used by CryptoWall 4.0, much like its processors. From such sites, computer users can make payment to obtain a decryption key and create so-called support requests. The full list of URLs used by CryptoWall's Decrypt Service are as follows:

• 3wzn5p2yiumh7akj.partnersinvestpayto.com
• 3wzn5p2yiumh7akj.marketcryptopartners.com
• 3wzn5p2yiumh7akj.forkinvestpay.com
• 3wzn5p2yiumh7akj.effectwaytopay.com
• 3wzn5p2yiumh7akj.onion (accessible using TOR only)

Looking into the actions of CryptoWall 4.0, it appears it has a sense of entitlement or the arrogance when reading its notification text messages that it displays, which we have copied examples below:

• Cannot you find the files you need?
• It is normal because the files' names, as well as the data in your files have been encrypted.
• Congratulations!!!
• You have become a part of large community CryptoWall.
• Is the content of the files that you have watched not readable?
• CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.
• Together we make the Internet a better and safer place.

While computer users are still able to utilize CryptoWall's decrypt services for a certain price, there is no other way to recover or decrypt the files apart from restoring your computer from a previous backup. It is a case of either paying the fee for decryption or restoring your computer.

There have been major strides in the efforts to combat the perpetrators behind recent ransomware threats. However, with those efforts we still get updated variations of ransomware like CryptoWall that are much more sophisticated and end up extorting unprecedented amounts of money from victimized computer users around the world. The detection and removal of CryptoWall and its updated variant is still available from few antimalware products. Nevertheless, the emergence of such threats are adding to the difficulty of putting a stop to these threats before they propagate. If you or anyone you know has a system infected with CryptoWall 4.0, let them know that their urgency in the removal of the threat is of the utmost importance unless they have the resources and time to restore their ransomware-infected computer from a viable backup.