Security experts at Bitdefender seem to have no doubt, the authors of the last variant of the popular Cryptowall ransomware, Cryptowall 4.0 are Russians. The experts came to this conclusion through evidence collected during their investigations, for example, the servers used for spamming the threat are located in Russia, and the Javascript used as a vector downloads the CriptoWall 4.0 payload from a Russian server.
The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.
The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.
As observed for other threats coming from Russia, Russian users seem to not interested by the ransomware because Cryptowall 4.0 doesn’t encrypt the files if it detects that the computer is using the Russian language.
“Cryptowall 4.0 spam servers are located in Russia, according to The Javascript-written malware downloads the CriptoWall component from a Russian server.” states the post published by Bitdefender.
CryptoWall is a profitable instrument in the hands of criminal organizations, the security researchers of the Cyber Threat Alliance have conducted an investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware discovering that the criminals behind the dreaded ransomware already made $325 Million.
The victims have two possibilities, pay the ransom hoping to restore the encrypted documents or waiting that AV vendors will integrate the key used to encrypt their documents in their anti-ransomware solution. Unfortunately, this is possible only if security experts seize one of the C&C servers used by crooks and find on these machines the key used to encrypt the victim’s file.
To hamper the diffusion of the Cryptowall 4.0 Bitdefender has developed a software that allows users to immunize their computers and block file encryption process implemented by ransomware, including the Cryptowall 4.0.
Be aware, if the PC is already infected with CryptoWall 4.0, the “vaccine” will not sanitize it.
The tool is not a complete antivirus solution, but it is a supplementary layer of protection that could increase the resilience of the machine to malware based attacks.
(Security Affairs – CryptoWall 4.0, ransomware)