Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

After a brief hiatus malware developers release CryptoWall 3.0


  • Please log in to reply
272 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:46 AM

Posted 14 January 2015 - 12:07 AM

After a brief hiatus of CryptoWall infections during the holidays, yesterday the malware developers released CryptoWall 3.0. There only changes in this version compared to the previous one are ransom note filename changes, new TOR gateways, and an extended deadline to make the payment. Other than that, CryptoWall 3.0 is the same piece of garbage we have come to hate in CryptoWall 2.0.

The first change is a longer deadline time that a payment must be made before the ransom amount increases. Originally the ransom deadline was 5 days after the time of the infection. Now they have increased the deadline to a full week.

Another change is additional TOR gateways that are used to access the CryptoWall decryption site. These TOR gateways are torforall.com, torman2.com, torwoman.com, and torroadsters.com. Using these gateways an infected user is able to access the CryptoWall decryption site without installing the TOR browser software.
 

tor-gateway.jpg


Last, but not least, the ransom note filenames have changed and now extra PNG file is displayed along with the ransom notes when you login to Windows. The names of the CryptoWall 3.0 ransom notes are now HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, and HELP_DECRYPT.URL. Each ransom noted is described below.

HELP_DECRYPT.HTML: This HTML file will be shown every time you login to Windows and displays information on what CryptoWall 3.0 is and how to access the ransom site.
 

help_decrypt.html.jpg



HELP_DECRYPT.PNG: This image file is displayed when you login to Windows and contains more information about CryptoWall 3.0 and how to access the ransom site.

help_decrypt.png.jpg



HELP_DECRYPT.TXT: This text file will be shown every time you login to Windows and contains the same information as the other files.

help_decrypt.txt.jpg



HELP_DECRYPT.URL: This file will automatically load your default browser and display the CryptoWall 3.0 Decrypt Service when you login to Windows. The decryption site looks similar to the image below.

decrypt-service.jpg



The CryptoWall Information Guide has already been updated with this information and ListCwall is still able to export the list of encrypted files. You can also discuss this topic further in our CryptoWall Support Topic.

Update 1/14/15: Kafeine has posted a story detailing how Cryptowall 3.0 also communicates over the anomymous network service I2P.

BC AdBot (Login to Remove)

 


#2 GT500

GT500

  •  Avatar image
  • Security Colleague
  • 161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:46 AM

Posted 14 January 2015 - 04:54 AM

Thanks for the update Lawrence. :wink:

Edited by GT500, 14 January 2015 - 04:54 AM.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#3 Aura

Aura

    Bleepin' Special Ops


  •  Avatar image
  • Malware Response Team
  • 19,709 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 14 January 2015 - 08:37 AM

New Cryptowall version, yet they still can't type/write in English properly. Thank you for the update Grinler!

animinionsmalltext.gif


#4 zingo156

zingo156

  •  Avatar image
  • Helper Emeritus
  • 3,345 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 14 January 2015 - 09:37 AM

Maybe the virus writer is trying to throw the authorities off by intentionally speaking incorrect language. I still hate seeing new versions of these :( Ransomware does appear to be getting more and more popular since the success of cryptolocker. I had read somewhere that cryptowall writers may have earned close to 1 million $US. I wonder why there hasn't been a crack down on cryptowall yet by the authorities, maybe it is harder to trace with Tor and only Bitcoins.

 

Edit link here: http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html


Edited by zingo156, 14 January 2015 - 09:38 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:46 AM

Posted 14 January 2015 - 08:46 PM

Update: Kafeine has found that CryptoWall 3.0 also communicates over the anomymous network service I2P.

http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

#6 mawelsh

mawelsh

  •  Avatar image
  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 15 January 2015 - 01:22 PM

Are there any available examples of the links, fake "video player updates", etc. that cause the trojan to be installed?



#7 RobertHD

RobertHD

  •  Avatar image
  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:07:16 PM

Posted 16 January 2015 - 01:07 AM

If you know that you cracked 2.0 highly good chances of smashing 3.0's ransomware


Edited by RobertHD, 16 January 2015 - 01:07 AM.

Robert James Crawley Klopp


#8 radcarp

radcarp

  •  Avatar image
  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 16 January 2015 - 03:50 AM

So I understand that there is nothing to be done with files infected by criptowal 3.0, just  wait for a new program to decrypt?



#9 Edwarddist

Edwarddist

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 16 January 2015 - 06:15 AM

Hello , i was infected last night with the cryptowall 3.0 .What is your advice? What should i do now ?



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:46 AM

Posted 16 January 2015 - 09:40 AM

At this point there is unfortunately nothing that can be done at this time.

#11 daveydoom

daveydoom

  •  Avatar image
  • Security Colleague
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:04:46 AM

Posted 16 January 2015 - 09:47 PM

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain  <_< .


"A computer beat me in chess, but it was no match when it came to kickboxing"
-Emo Philips

Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#12 alexdc22

alexdc22

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 January 2015 - 07:08 AM

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain  <_< .

would this be wondershare photorec?

if it is then is not working for me as i have tried it after you posted this but my pictures are still corrupt...the files are on a different HDD since i had to reinstall windows due to the severe infection.... please let me know if thats the one..

 

Thx.



#13 daveydoom

daveydoom

  •  Avatar image
  • Security Colleague
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:04:46 AM

Posted 18 January 2015 - 08:19 AM

 

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain  <_< .

would this be wondershare photorec?

 

 

 

No, PhotoRec can be found here:

http://www.cgsecurity.org/wiki/PhotoRec

 

I've used this software in the past to recover files. Good luck :)  .  


"A computer beat me in chess, but it was no match when it came to kickboxing"
-Emo Philips

Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#14 alexdc22

alexdc22

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 18 January 2015 - 08:25 AM

 

 

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain  <_< .

would this be wondershare photorec?

 

 

 

No, PhotoRec can be found here:

http://www.cgsecurity.org/wiki/PhotoRec

 

I've used this software in the past to recover files. Good luck :)  .  

 

i will give it a go... thanks brother.



#15 daveydoom

daveydoom

  •  Avatar image
  • Security Colleague
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:04:46 AM

Posted 18 January 2015 - 11:10 AM

You're welcome :)  .


"A computer beat me in chess, but it was no match when it came to kickboxing"
-Emo Philips

Member of UNITE, Unified Network of Instructors and Trusted Eliminators





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users