Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Cryptolocker new and improved: Cryptowall 4.0 - fixedByVonnie

Cryptolocker new and improved: Cryptowall 4.0

It’s been a long day.  You’re tired… heck you’re exasperated.  You prop your elbows on your desk and sink your chin into both palms.

What a pleasant respite from the day… today was nuts

Suddenly an email pops in your inbox from someone named Maryln.

Hmm… What’s this?

Your curiosity moves your mouse to open the message…

Who is this Maryln person?  Perhaps she’s the perfect hire for the position I posted earlier?

Did you even post a position earlier?  Who cares – it’s so easy to click.

So mindless.

So rewarding.

The mouse makes the unmistakable “click” noise and the document opens. But behind the scenes a malicious javascript file named resume.js begins downloading analitics.exe, saves it as 160967782.exe and does three things:

  1. Inject itself into explorer.exe and immediately disables system restore and startup repair
  2. Deletes all your Shadow Volume Copies with vssadmin.exe Delete Shadows /All /Quiet
  3. Encrypts your hard drive, attached removable hard drives, USB drives and mapped network drives and then swallows the key.  The only way to retrieve your files is to pay your attackers a whopping $700 dollars.  I hope you have backups..

Boom!  You just got punked!

This isn’t some story I made up – this is actually how CryptoWall 4 works.

It’s basically a revised version of CryptoLocker and it’s beginning to wreak havok on the net.  The worst part is not only does CryptoWall 4.0 scramble every chunk of writable media connected to your computer but it also scrambles the files names too!

So you won’t even know what’s been encrypted – you won’t know what you lost.

Take a look at what happened to my Windows 10 box:

CryptoWall 4.0 Filenames scrambled

After getting infected it changed the file names and extensions of my files so that they are almost completely unrecognizable.  The only substantive bit of information I’m left with is the file size.

Here’s how the CryptoWall 4.0 attack usually works:

An attack obtains your email address and sends you a gratuitious email with a malicious attachment.  The file is usually sent from one of the following people:

  • beigang45518zheng@163.com
  • mengxiong00539po@163.com
  • xlashan155lu@163.com

And can have any of these attachments:

  • Paulene_resume_9079.zip
  • Ardell_resume_6688.zip
  • Myriam_resume_8347.zip

CryptoWall 4.0 Phishing AttemptIf you click the attachment, extract it and open it you’ll invoke an obfuscated javascript file which instantly attempts to download the malware.

If you’re a real geek you can view the hybrid-analysis of the payload sample here

But now it’s too late.  In an instant, all connected storage media is irrevocably encrypted and you see a demeaning “tutorial” explaining that you’ve now become part of  “a large community CryptoWall”.

When my system was infected the entire process completed in less than 20 seconds.

CryptoWall 4.0 Banner

Gone in 20 seconds!

Here’s what you’ll find in the “setup guide”

In case if these simple rules are violated we will not able to help you, and we will not try because you have been warned.
For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product.
After purchasing the software package you can:
1. Decrypt all your files.
2. Work with your documents.
3. View your photos and other media content.
4. Continue your habitual and comfortable work at the computer.
If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.

Basically the bad guys illicitly encrypt all your files (and other peoples files if you have mapped drive locations) and then hold your files hostage until you pay the “CryptoWall Service” fee of $700 USD.

Some people call this malware, others refer to it as ransomware but I call it bullshit.

Who the flip do these guys think they are?  Do they realize how much money they are costing people?

Costing companies?

Do they not realize how much pain and misery they are inflicting upon innocent victims; most of who don’t have backups and can’t afford to decrypt their files?

I hate this because it takes zero skill to implement and it exploits the ignorance of perfectly innocent people.  On the one hand, yes – I get it – people shouldn’t open suspicious attachments but for every 98 users who follow the rules there are always 2 who will click anything that comes at them and they’ll get infected.  I get it.

These people brought this pain upon themselves but I hate the cowardice and brazen disrespect these cyber criminals are using to exploit their victims.  The “help files” are a complete effrontery to the victim.


CryptoWall tutorial

The real problem is that since your files are encrypted with 2,048 bit encryption it’s virtually impossible to brute force the keyspace and extrapolate the original plain-text copies of your data.  You’re forced to either pay the fine, restore a backup or weep for weeks.

The Bottom Line

Make backups.

That’s the bottom line.  But it’s bigger than that.  If your backups are being stored to an external hard drive that’s always connected to your computer then those files would have been encrypted too.  This also goes for any network storage drives you had on your home network.  You need to be making periodic backups that you keep in a vault, a locked safe or somewhere physical separate from your computer.

Think about the cost of your data.  How much is it worth to you?  How hard would it be to get everything back on your computer if you got CryptoWalled tonight?

Leave a comment and tell me what you think about all this.


Connect with Vonnie on Twitter

Posted in Mac OS X 10.9 Mavericks, Samsung Galaxy S4, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , ,
  • Bok

    Have a client with a receptionist that has been burned by previous CryptoLocker versions TWICE! Fortunately, we had good backups and still do.

  • Peter Psaradellis

    Thanks for this excellent article describing the latest Cryptolocker techniques.

    I have had to personally deal with a few instances of Crypto infections at client sites, and the simplest method is to restore data from backups.
    In a few instances we also restored servers, network data, and OS drives just to be sure.


    This is old news: i wrote a piece of software that runs on a Pi Zero that can brute force the key using a variant of the number sieve running with a near quantum speedup using inter-row tunneling in the memory chip within a small temperature range.

    Can decode in about 4.5 hours but adding more CPUs drops this substantially.

  • harry taylor

    I totally wanted an ethical hacker to help me spy on my wife and served as a personal investigator. Literally, I met him on a dating site and there used to be trust but now, he locks out his W h a t s App, PC and phone. So, there are trust issues. So, I wanted help to bypass his security and test his potency on trust. I got an hacker who helped me bypass his phone and got it cloned. I get access to activities like Facebook, Email, W h a t s App, calls, Skype and others. I’m sure someone out there is looking for how to solve her relationship problems, just hire;; { HACKDON005 AT G MAIL DOT COM}…

  • Mike

    Thanks for this excellent article describing the latest Cryptolocker techniques.
    buy bulk instagram accounts
    Buy Instagram pva accounts

  • Mike

    Thank you so much for these wonderful Posts and all the best for your future. I hope to see more posts from you.
    Buy Gmail pva accounts
    Gmail pva accounts

  • Thanks for this excellent article describing the latest Cryptolocker techniques.