Less than a week after the publication of a thorough report by the Cyber Threat Alliance on the CryptoWall version 3 malware family, it appears that the actors behind the malware have updated the underlying code.
Beginning on October 30, 2015, Palo Alto Networks began seeing instances of this new version of CryptoWall, which some researchers have begun calling version 4. This new version of CryptoWall includes multiple updates, such as a more streamlined network communication channel, modified ransom message, and the encryption of filenames. These changes not only make it more difficult for the victim to identify what files have been encrypted, but also may thwart security protections currently in place for the CryptoWall threat.
CryptoWall is a type of malware known as ransomware, which encrypts a victim’s files and subsequently demands payment in exchange for the decryption key. The ransom payment is typically collected using a form of crypto-currency, such as Bitcoin. Ransomware has been responsible for many millions of dollars in damages, and CryptoWall is one of the most lucrative ransomware families in use today.
To date, Palo Alto Networks has identified 10 unique instances of CryptoWall version 4. In total, 57 attempted infections have been witnessed.
Figure 1 CryptoWall v4 attempted infections
The samples have reportedly originated from phishing emails; however, this has yet to be confirmed. The following two URLs have been witnessed delivering this new version of CryptoWall:
Both of the above IP addresses are located in Moscow, Russia, and are hosted by Eurobyte VPS hosting provider.
The CryptoWall authors have made multiple modifications to the malware in this version. Fortunately, the majority of the code base has remained consistent with version 3. As such, reverse engineers may use structures and decryption scripts that worked on previous samples. One of the more noticeable changes in the newest revision of CryptoWall is the updated ransom notification. As we can see below, it appears that the actors behind this threat have gotten a bit snarky with their verbiage.
Figure 2 New CryptoWall ransom message (HTML)
Readers might also notice a change in the color scheme, as the actors are now using a red, yellow, and grey combination. Previously, this color scheme used blue, green, and grey. It doesn’t appear as though this change has made its way to the PNG file provided to victims, which still has the same appearance as the previous CryptoWall version. Additionally, version information was removed from these messages, as previous notices specifically called the malware ‘CryptoWall 3.0’. This revision simply calls it ‘CryptoWall’.
Figure 3 New CryptoWall ransom message (PNG)
Another noticeable change is the fact that the malware will now encrypt not only the contents of targeted files, but the names of these files as well, as we can see in the screenshot below.
Figure 4 CryptoWall v4 encryption of filenames
Encryption of the filenames makes it much more difficult for victims to identify what files exactly were encrypted.
On the network communications side, the CryptoWall authors have streamlined the process a bit to minimize the number of HTTP requests made. Network encryption appears to remain consistent with previous versions, using RC4 with a key provided in the GET request (note that the key is sorted prior to decryption). However, the outbound requests to the following URLs are no longer present:
Additionally, the PNG file hosted by the C2 server is no longer provided in a separate response. Instead, it is included when the C2 server provides the RSA public key.
These changes limit the network-based exposure of the malware, making it more difficult for network-based security solutions to detect it.
As of this writing, it appears that this new version of CryptoWall is still in early use by attackers. Palo Alto Networks has witnessed 10 unique samples being used to conduct 57 attempted infections. The malware itself includes multiple modifications, including how files are encrypted as well as how network communications occur. Additionally, the content as well as the look and feel of the ransom notification have changed and appear to still be in development based on the discrepancies between the HTML files and PNG files shown to victims.
CryptoWall has been responsible for many millions of dollars in damages worldwide. The threat of ransomware has remained active for a number of years now, and shows no signs of stopping in the future. Individuals should remain vigilant about ensuring that suspicious emails are not opened and skeptical about navigating to unknown websites that are not trusted.
The following SHA256 hashes of CryptoWall version 4 have been identified.