CryptoWall is a ransomware malware that works by encrypting files on an infected computer and requires users to pay ransom to receive a decryption key. It was initially released in 2014, but it’s been through several iterations, making it a much stealthier version of ransomware than others like it. Like other ransomware, CryptoWall encrypts files but also hides in the Windows operating system to persistently execute after every reboot.
CryptoWall Ransomware History
After researchers stopped CryptoLocker in 2015, malware authors took the CryptoLocker code and converted it to a new form of ransomware named CryptoWall. It started as simple ransomware that used HTTP to communicate with a command-and-control server. Because it used HTTP, researchers could identify CryptoWall patterns to stop it, which led to CryptoWall 2.0.
CryptoWall has gone through several versions since 2015, with each new version created to avoid security defenses. CryptoWall is now at version 4.0, and every new version adds features to extort money from users. The latest CryptoWall 4.0 was released in late 2021, so it’s reasonable to believe that new versions could be released regularly.
Breakdown of CryptoWall Versions
The first version of CryptoWall was a clone of CryptoLocker with a different command-and-control server, so the most significant change was when CryptoWall 2.0 was released. New versions still have the same encryption and deployment strategy through phishing, but the ransomware technical functionality changes to avoid detection. These newer versions introduced the most significant threat to corporations because they no longer resembled the original CryptoLocker.
CryptoWall 2.0’s biggest change was how it was delivered. It no longer used HTTP to communicate with the command-and-control server, making it vulnerable to researcher analysis. Authors for version 2.0 also added delivery on website ads, took advantage of browser vulnerabilities to install the malware, and used vulnerabilities in unpatched software to install the ransomware.
After CryptoWall 2.0, malware authors increased their aggressiveness on installation with CryptoWall 3.0. It was the first version that used the I2P anonymity network to hide communication and its identity from researchers. CryptoWall 3.0 started with a phishing email that contained a link pointing to a downloader program. Executing the downloader connected the user to one of several domains where the main ransomware was downloaded and installed on the local computer. At this point, the ransomware followed typical functionality by encrypting files and scanning the network for open shared drives. The ransom note was installed on the local device and displayed to the victim after their files were encrypted.
CryptoWall 4.0 came out in 2021. This version improves communication between the local device and the command-and-control server. It uses a modified protocol to hide detection from antivirus and bypass firewall rules. CryptoWall also spreads using phishing emails, but this new version hides in the Windows system and disables the targeted victim’s system restore ability.
All versions of CryptoWall use a cryptographically secure cipher to encrypt data. Current versions use RC4, but older CryptoWall versions use RSA-2048. Both these versions make it impossible to decrypt data without the private keys. All versions scan for mapped drives and take measures to destroy backups. Version 4.0 makes it increasingly difficult to recover backups by destroying shadow copies in Windows and disabling the Windows startup repair function.
The most recent version of CryptoWall is 5.1 is unlike other versions and could be a completely different codebase. It’s based on the HiddenTear malware, an open-source trojan posted on GitHub in 2015. Because it works with a different codebase, CryptoWall 5.1 uses AES-256 encryption, but other modes of operation are similar. Several variants, such as CryptoDefense, are similar to the latest CryptoWall version.
How Does CryptoWall Work?
Some functionality in CryptoWall persists from version to version. CryptoWall 4.0 is the latest version with the biggest number of changes since the original version in 2015. While the general function of ransomware is to encrypt user files so they cannot be recovered, it’s the author's strategies that make ransomware uniquely challenging to remediate. Recovery using backups is the only solution for a CryptoWall incident, but CryptoWall searches for backups to encrypt them as well.
The initial attack is similar to any other ransomware campaign. The targeted victim receives a phishing email with a malicious link. The link points to a URL on the attacker-controlled domain where the user must agree to download malware. The malware might be downloaded using a script, an executable, or a malicious macro. Typically, a downloader file connects to an attacker-controlled domain where the ransomware executable is stored.
The downloader transfers the ransomware files to the local machine and executes them. At this point, CryptoWall scans the local machine for almost 150 different file extensions. Any files with a matching file extension are encrypted, and CryptoWall 4.0 encrypts the file names in addition to file contents. The ransomware embeds itself into the Windows operating system, specifically the explorer.exe and svchost.exe processes. CryptoWall also aims to destroy any possibility of recovery by disabling features for backup and recovery, such as the Startup Repair function.
Any shadow volume copies are destroyed; a Windows feature to repair or recover file backups. CryptoWall then scans the system for mapped drives and encrypts them as well. The private key is generated and sent to the command-and-control server with information about the machine, such as the architecture, IP address, the ransomware’s privilege level, and the version of Windows.
With the payload delivered, CryptoWall then stores three files on the local machine, including a text and HTML version of the ransom note with instructions on paying the ransom and file recovery. The user is instructed to download the “Tor” browser, go to a specific site, and then pay the ransom to recover their files. Experts advise against paying the ransom because there’s no guarantee that the victim will receive the private key. However, many users pay the ransom to get their files back.
How to Recognize a CryptoWall Infection
The CryptoWall encryption process happens quickly, and the initial infection processes in the background without any warning signs. After CryptoWall delivers its payload, it then displays a ransom note to the user explaining that their files are encrypted, and they must pay a ransom to get their files back.
Aside from the ransom note, there are other signs that a computer is infected with CryptoWall. New versions of CryptoWall encrypt files and file names, so users can no longer see the files. The strategy is to incite victim urgency to increase the likelihood of ransom payment instead of backup recovery.
CryptoWall stores three files to provide instructions to users. Seeing these three files on a system indicates that a machine has CryptoWall ransomware on it:
When users view their Documents folder in Windows, none of the files will have their original name. The file names are replaced with encrypted names, which look like random numbers and letters with random file extensions. The ransom note and encrypted file names are the two primary signs of a CryptoWall ransomware infection.
What to Do If You Fall Victim of CryptoWall
The biggest decision for users is whether to pay the ransom or not. Experts advise against paying the ransom because the private key may not be provided. Paying the ransom feeds the system by encouraging more attackers to build more ransomware. Sometimes, the ransomware recovery process has bugs that permanently corrupt and lose file data.
Removing CryptoWall from a system is not the difficult part of incident response. A good antivirus application removes CryptoWall from the system but cannot decrypt files. The only way to decrypt files and recover them is to have the private key, which is encrypted and protected from discovery.
Good backups will overcome the issue of decryption, so users can restore their files without having the private key. Ransomware, including CryptoWall, seek out backup files on the local machine, mapped network drives and removable storage to encrypt them so that users cannot recover. Encrypting backups increases the likelihood of ransom payment and improves success for the malware author.
Most ransomware starts with a malicious phishing email. Typically, users are unaware of phishing tactics and click links without regard to the sender's identity and the potential for malware. Security awareness training helps, but the best cybersecurity against phishing is email filters that block spoofed headers and suspicious messages. Reducing the chance of a phishing email reaching the inbox of a targeted user is the best defense against any ransomware.
Users should be instructed to never click links from suspicious senders, but some hackers send malicious emails to a contact list on a compromised email account. Users should avoid links that automatically download executables, and any executables accidentally downloaded from an email link should be deleted immediately to avoid any harm. Good antivirus software will stop many executables, but it won’t catch zero-day malware and should not be the only anti-malware strategy used to prevent ransomware.
Always keep frequent backups in case of a ransomware attack. Backups should be kept safe from ransomware scans, which means they should not be on a shared drive where anyone can access them. They should be accessible only to people with elevated permissions. Cloud-based storage is beneficial in a ransomware scenario since it’s inaccessible using typical mapped shared drives.
What Damage Can It Do?
The majority of CryptoWall infections are in the U.S., Canada, Netherlands, and Germany. These countries make up almost half of the CryptoWall infections around the world. The average ransom for file decryption is about $500 in Bitcoin. Some infections ask for $1,000 USD in Bitcoin, so costs have recently increased.
For organizations with critical data, becoming the victim of ransomware like CryptoWall is a revenue-impacting event. It halts production and makes it impossible to do business when critical data is no longer available. The only way to recover from a revenue-impacting event like ransomware is by employing backups, which is why having a solid backup and disaster recovery plan is critical for organizations.
How Proofpoint Can Help
Proofpoint offers resources and strategies to help our customers prevent ransomware attacks. Our Ransomware Hub contains solutions, strategies, advice, and information on ransomware and how you can stop it from becoming a revenue-impacting event. We also have a ransomware survival guide to help customers understand the dangers of ransomware and what it can do to your business. Should any user fall victim to ransomware, we also discuss what administrators can do and how to determine whether or not to pay the ransom.