Skip to content or view screen version

CryptoWall virus imposes a money-for-data bargain

James Green | 02.12.2015 14:41 | Other Press | Technology

Over the course of many months that the CryptoWall ransomware has been on the loose, no authority has come up with a way to take the campaign down, nor have security labs elaborated a method or recover the files this virus encrypts.

What makes matters yet worse is the evolution of distribution methods used by the new version 4.0. Whereas previous variants of the infection would stick to social engineering or exploit based ways of spreading, the latest build relies on botnets, such as the infamous Asprox, to affect computers on a much larger scale.

The increasing sophistication makes CryptoWall attacks harder to prevent. The rest of the tactical framework, though, does not appear to be undergoing substantial changes. Just like before, the virus scans an infected machine’s hard drive sectors in search for data to capture. The basic markers used to detect the victim’s personal information are file extensions, with a special focus on popular ones like .jpg, .doc, .xls, .ppt, etc. Anything on letter-assigned HDD volumes that fits in this criteria space is eventually encrypted with RSA-2048, a very strong public-key crypto standard. All such files become henceforth impossible to open.

CryptoWall then displays a warning screen with the essentials of what happened to the information. It additionally pops up a file named HELP_DECRYPT off and on, providing Tor links to one’s personal page where the ransom payment transaction can be completed. The amount to pay for reinstating the files is $500, and the user is supposed to submit this fee in Bitcoins, a currency that makes the receiving party very problematic to identify and track down. It’s namely because of the Tor and Bitcoin related operation that attribution of the fraudsters is an egg-dance.

Using automatic recovery tools for restoring the data is barely effective, because CryptoWall encrypts file copies after deleting the original items with multiple overwrite passes. The Volume Shadow Copy Service, a file backup feature built into Windows, may be of help but its efficiency depends on a number of conditions. The applicable data restoration techniques beyond submitting the ransom are covered on trusted security websites, so anyone infected should give those tips a shot. Source:

James Green