Malicious CryptoWall Ransomware Threat Updated to Version 2.0 with New Obfuscator

In the science of updating malware threats, hackers are mostly proactive in their abilities to update threats that have a serious effect on the systems that they infect. One threat that has caused massive issues for computer users is CryptoWall Ransomware due to its ability to encrypt files on an infected system.

CryptoWall ransomware has been a threat that was introduced to computer security experts many months ago where it was noticed to act much like other well-known encryption threats. CryptoWall ransomware's ability to encrypt files and then ask that a fee be paid for a decryption key is a well-thought-out attack on computer users. The crypto-malware that CryptoWall ransomware is has been mostly distributed through fake emails claiming to be a legitimate entity, such as in the cases of fake IRS emails.

Figure 1. - CryptoWall Ransomware Threat message in an updated version
cryptowall ransomware update threat message

In recent discoveries of the CryptoWall ransomware threat, it was found to be updated to a new version, a modified threat that deploys new capabilities. The behavior of the updated CryptoWall ransomware, which is now dubbed as CryptoWall 2.0 and shown in Figure 1 above, has a new packer/obfuscator that can integrate a large number of methods designed to prevent debugging and analysis. This would be a way for CryptoWall 2.0 to evade methods that lead to the removal of CryptoWall or putting a stop to its encryption actions on an infected computer.

CryptoWall 2.0 was also found to utilize new command and control servers, which are designation points for the malware to contact for updated or new instructions to carry out on infected computers. Researchers from F-Secure, who have taken special notice to the updated CryptoWall threat, have found that it was signed with a digital certificate released just hours before its latest malvertising campaign started, a campaign that allowed it to spread through malicious advertisements. Many of those sites spreading CryptoWall were legitimate only the advertisements feed through the Zedo network were actually malicious and initially unaware to the webmasters.

Of the sites found to spread CryptoWall in an updated form where hindustantimes[dot]com, bollywoodhungama[dot]com, one[dot]co[dot]il, codingforums[dot]com, and mawdoo3[dot]com. It is a rather common action for hackers to feed malicious ads through a network due to having them signed with a new digital certificate, which is mostly undetected until someone notifies the ad network of the malvertising campaigns taking place.

8 Comments

  • Bryce:

    This just hit one of our machines. Likely from a celebrity gossip website.

  • Mike:

    Had a client hit with Cryptowall 2.0 and it found a chunk of files for which we don't have a working backup, in addition to some that could be restored. Any hope of a Cryptowall 2.0 decryption hack on the horizon?

  • Rob:

    Had my co-worker get hit by this from a fake e-mail from our Payroll Company. It is a terrible virus this one, it got to our network share on the server, and all of my co-worker's files.

  • uhlive:

    I'm working extremely hard to break into their servers.
    Their main server has SSH enabled. The ip address is 151.248.115.146.

    i'm willing to bet the private keys are on that server.
    just gotta get to them!

  • Bill:

    Let us know if you get it uhlive. I lost everything ­čÖü

  • CTAN:

    uhlive.... let us know how you are doing.... I've lost all my files, and although they are mostly pics and videos (my newborn birth among them), I'm not planning to pay any ransom, to hell with them but I'm willing to pay anybody to crack down these criminals.
    give me the mofo who did it and I will waterboard the SOB until he sings like a canary all the key codes.

  • Jim:

    I paid and then the web address I had been communicating with them just disappeared! Does anyone know how I can get in touch with them?

  • danny:

    anyway to get files or unlock them as of yet. I installed new os on drive and still unable to unlock the files any help

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.