The infamous Crowti ransomware often dubbed Cryptowall is back with a new campaign, this time using the I2P anonymity network to communicate with its command and control infrastructure.
Cryptowall 3.0 was spotted by both Microsoft and French researcher Kafeine, who each released screenshots showing the malware hadn’t changed much from a victim-facing perspective.
However, its use of I2P is an evolution of the popular ransomware.
“It seems communication with the C&C are Rc4 encoded (key seems to be alphanum sorted path of the POST) and using i2p protocol,” wrote Kafeine.
“So...they are sadly back..and we can expect a lot of them in Exploit Kit, Spam, tasks in Botnet etc....”
The Microsoft Malware Protection Center’s Marianne Mallen said Redmond had seen a sudden spike from no infections on 11 January to 288 the following day, after an almost two month hiatus for Crowti.
“It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names,” she explained.
“The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network.”
Microsoft was forced to issue an advisory on Cryptowall in October last year, having seen the ransomware spike to around 4000 infected machines – mainly in the US (71%).
It spread largely via malicious attachments in spam email campaigns, but also through exploit kits such as Nuclear, RIG, and RedKit V2, Redmond said.
Cryptowall is part of a new generation of malware which, rather than lock a PC until a ransom is paid, will encrypt all of its files and then demand bitcoin payment in return for the decryption key.
Tor is often used to disguise communications between the victim and attackers so law enforcers and researchers can’t monitor what’s going on.
Infections of Cryptowall hit a peak in its first incarnation when over 620,000 machines fell victim.