Cryptowall malware has been a major threat since it was first released on the unsuspecting world in September 2014. It did not take long for the malware to evolve, with a second version seen within a matter of weeks. A third incarnation was released at the start of the year. Now the game plan has changed again with the fourth version of Cryptowall malware now identified in the wild. The developers of the ransomware are keen to keep IT security experts and security software developers on their toes. They also want to continue to rake in millions of dollars in ransoms. The new version guarantees they will.

web protection

Cryptowall Malware is Now Harder to Spot, Easier to Obtain, and is a Whole Lot Nastier

As if it was not hard enough to prevent a Cryptowall malware infection, the developers of the ransomware have made it nastier and easier to infect computers. It is now capable of being installed by drive-by download.

The malware has also been packaged up with the Pony Trojan. Pony is nothing new, although that doesn’t make it any less dangerous. Pony is a password stealer that has been redeveloped and updated over the years. It has been predominantly spread via email spam in the past, and has most commonly been seen as an attached executable, or sent in compressed form in a .cab, .rar, or .zip file.

However, more recently it has been sent disguised as a document. Usually as a Word document but most commonly as a PDF file. The file is not a document of course. It is an executable with the extension masked. When double clicked, the Pony will be set loose.

Recently, the Pony Trojan has been sent via a link in spam email. Clicking the link will not take the user to a website as expected, instead it will attempt to download the malware. The file will be masked as a different type of file, even though it is an executable. The user is more likely to download a .SCR (screensaver) file with an adobe reader icon as it looks fairly innocuous. Regardless of how it is installed, it’s actions are the same. It will steal usernames, passwords, FTP and SSH credentials, and also Bitcoin, Litecoin, Primecoin, and Feathercoin.

Once credentials have been stolen, the user will be directed to a malicious website where they will be subjected to the Angler Exploit Kit – the most widely used exploit kit and attack tool. Angler takes advantage of security vulnerabilities in users’ browser plugins via drive-by attacks. Those attacks will unleash the final payload: The latest version of Cryptowall malware.

Cryptowall Malware Leaves Victims Little Choice but to Pay the Ransom

The latest incarnation of the ransomware locks files with powerful encryption but also encrypts filenames. Unfortunately, with the latest version your files will be encrypted but you won’t know what files they are. The latest version uses different obfuscation methods to make it even harder to detect and it has much improved communication capabilities.

Victims are not so much told they have to pay a ransom, but are instead politely urged to pay for security software to protect against Cryptowall malware. The attackers say please more than once when suggesting payment be made to unlock files.

Unfortunately, you will have to pay the $700 security software charge to unlock your files if you have not performed a recent backup of your data. Otherwise your files will be lost forever.

To protect against the malware, make sure backups are regularly performed and ensure that all browsers, plugins and security software are kept bang up to date.