CryptoWall 3.0 - Crowti update

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits.

The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware:


Figure 1. Sudden spike from CryptoWall 3.0 activity this month.

It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names:

  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.PNG
  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.URL
The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.


Figure 2. HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.


Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.


Figure 4. HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.


Figure 5. Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

Full Article - blogs.technet.com
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top