14 DAY TRIAL // CryptoWall ransomware has been silent for about two months, but malware authors seem to have worked to deliver version 3.0, which comes with localized ransom messages.
Apart from this modification, security researchers have also observed that victims are provided with several addresses that lead to the decryption service located in the I2P anonymity network.
The traffic is routed through specific proxy servers since I2P is a network that cannot be accessed like regular Internet websites.
I2P is another anonymity network, similar to TOR, where traffic is encrypted multiple times and directed through a series of proxies to conceal the identity of the user.
Connection to I2P through proxies does not work
CryptoWall, also known as Crowti, is a ransomware type of threat that includes file encryption capabilities. As soon as it is executed on a compromised computer, it starts encrypting the data on it.
At the end of the operation, the victim is presented with a ransom message and instructions on how the money has to be paid in order to receive the key for unlocking the files. The fee is $500 / €424, payable in 168 hours since the encryption process completes, in bitcoin digital currency.
Version 3.0 of the malware has been spotted by French malware researcher Kafeine, as well as by security experts at Microsoft.
In a blog post on Wednesday, Kafeine said that the communication with the command and control server is encoded with the RC4 encryption algorithm and uses the I2P protocol.
The researcher tested the new CryptoWall sample and noticed that the proxies did not work, as an error message was received upon trying to connect. The returned message said that the I2P website was unavailable due to different reasons (congested network or inability to connect to relay systems) and that the operation should be repeated.
However, the cybercriminals prepared for such scenarios and provided instructions on how to access the decryption service hidden in Tor anonymity network.
CryptoWall is a very lucrative business
According to data from Microsoft, CryptoWall 3.0 infected 288 unique machines in two days, January 11 and 12.
Earlier versions of the malware have infected a large number of machines belonging not only to consumers but to different types of organizations as well.
A report in August 2014 from Dell SecureWorks Counter Threat Unit (CTU) revealed that the cybercriminals behind the threat made more than $1.1 million / €835,000 in a period of about six months (mid-March – August 2014) from 625,000 systems across the world.
