A new strain of CryptoWall has been released to target users worldwide. Showing signs of classic best practices for software development, CryptoWall 4.0 has been significantly enhanced to avoid detection and better communicate with its puppet-masters—and to be more effective.
According to Heimdal Security, CryptoWall 4.0 includes a modified protocol that enables it to avoid being detected, even by second-generation enterprise firewall solutions. This lowers detection rates significantly compared to the already successful CryptoWall 3.0 attacks.
CryptoWall 4.0 also encrypts not only the data in the machine’s files, but the file names as well. This social-engineering technique confuses the victims even more, Heimdal explained. It also enhances the pressure of wanting to retrieve their data as fast as possible.
“Consequently, this increases the success ratio of how many victims see the message versus how many pay the ransom,” researchers said in the analysis. “A clear business enhancement by cyber-criminals.”
In essence, the Cryptoware creators are running their business just as a legitimate software company would.
“They continue to enhance their code so it becomes more effective in terms of finding vulnerabilities to exploit, they address current IT security market trends by making their ransomware as undetectable as possible, and they use all triggers at their disposal (social and emotional) to increase their return on investment,” researchers explained.
CryptoWall 4.0 retains much of what has worked in previous versions: It continues to use TOR to direct victims to the payment instructions, to protect the anonymity of the attackers; and, it still connects to a series of compromised web pages to download the payload onto the targeted system. It also continues to spread via drive-by attacks and spam mails, which are preferred as main attack vectors because of their low cost.
“Cybercrime has long transformed from a world of rebel attackers to a business field, albeit one with malicious objectives,” Heimdal researchers noted. “And ransomware is an increasingly important segment of it. It wouldn’t be farfetched to say that we can expect Cryptoware threats to multiply and become increasingly sophisticated.”