Cryptowall has been updated, redesigned ransom note, new filenames, and now encrypts a file’s name along with its data. So they now congratulate the victims!
It still uses:
- RC4 for comms with the Command & Control Servers
- Create a victim’s unique identifier from the MD5 hash of the computer’s computer name, volume serial number, processor information, and OS version
- Inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair
- Then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives
- Once encrypting is completed against the files it will launch the ransom notes that explain what happened and how to purchase the decrypter
Cryptowall Note on its new Help_File: ‘CryptoWall Project is not malicious and is not intended to harm a person and his/her information data.
The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.’
Seems Cryptowall is being sent through mail only at this particular time and installs via a .js file in a resume.zip attachment.
This again will soon escalate to Exploit Kits being used as a means to drop the new Cryptowall 4.0 and without a doubt be will contained within the next Angular Exploit Kit version.