CryptoWall 3.0 - Crowti update

[Petrovic]

Content source

http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits.

The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware:


Figure 1. Sudden spike from CryptoWall 3.0 activity this month.

It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names:

• HELP_DECRYPT.HTML
• HELP_DECRYPT.PNG
• HELP_DECRYPT.TXT
• HELP_DECRYPT.URL

The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.


Figure 2. HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.


Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.


Figure 4. HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.


Figure 5. Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

Full Article - blogs.technet.com