Media alert: Palo Alto Networks ontdekt nieuwe versie CryptoWall ransomware

Palo Alto Networks ontdekt nieuwe versie CryptoWall ransomware

CryptoWall Versie 4 verschijnt enkele dagen na publicatie Cyber Threat Alliance Report

Amsterdam, 6 november 2015 – Palo Alto Networks heeft een nieuwe versie van CryptoWall ransomware ontdekt doordat de ontwikkelaars achter deze ransomware malware de onderliggende code van CryptoWall hebben aangepast. Opmerkelijk is dat deze nieuwe versie enkele dagen na de publicatie van een onderzoek door de Cyber Threat Alliance is verschenen. Dit onderzoek gaat over de ontwikkeling en universele effecten van de agressieve CryptoWall ransomware.

Ransomware is malware die gegevens van slachtoffers versleutelt, zodat een cybercrimineel er “losgeld” voor kan vragen. Als een slachtoffer betaalt, meestal via elektronische valuta zoals bitcoin, krijgen ze van de cybercrimineel een code waarmee ze weer bij hun gegevens kunnen. Als een slachtoffer niet betaalt en geen back-up van zijn gegevens heeft gemaakt, kunnen deze voorgoed verloren gaan. CryptoWall ransomware is verantwoordelijk voor miljoenen dollars aan schade wereldwijd. De dreiging van ransomware is al meerdere jaren actief en lijkt voorlopig nog niet te stoppen.

Deze nieuwe versie bevat meerdere updates zoals een verbeterd netwerk communicatiekanaal, een aangepaste boodschap naar slachtoffers en een gewijzigde versleuteling van de bestandsnamen. Hierdoor is het niet alleen voor slachtoffers lastiger te bepalen welke bestanden versleuteld zijn, maar omzeilt het momenteel waarschijnlijk ook tal van beveiligingsoplossingen.

Meer informatie is te vinden in onderstaande blog van Palo Alto Networks.

Voor meer informatie kunt u contact opnemen met:

Text100 Global Communications

Cherilyn Mets Ruud van Lieshout

T. 020 530 4346 T. 020 530 4344
E. cherilyn.mets E. ruud.vanlieshout

Volg ons op Twitter: Indien u geen persberichten van Text100 meer wenst te ontvangen in de toekomst, kunt u een e-mail sturen aan unsubscribe.


CryptoWall v4 Emerges Days After Cyber Threat Alliance Report

Less than a week after the publication of a thorough report by the Cyber Threat Alliance on the CryptoWall version 3 malware family, it appears that the actors behind the malware have updated the underlying code.

Beginning on October 30, 2015, Palo Alto Networks began seeing instances of this new version of CryptoWall, which some researchers have begun calling version 4. This new version CryptoWall includes multiple updates, such as a more streamlined network communication channel, modified ransom message, and the encryption of filenames. These changes not only make it more difficult for the victim to identify what files have been encrypted, but also may thwart security protections currently in place for the CryptoWall threat.

CryptoWall is a type of malware known as ransomware, which encrypts a victim’s files and subsequently demands payment in exchange for the decryption key. The ransom payment is typically collected using a form of crypto-currency, such as Bitcoin. Ransomware has been responsible for many millions of dollars in damages, and CryptoWall is one of the most lucrative ransomware families in use today.

CryptoWall Infections

To date, Palo Alto Networks has identified 10 unique instances of CryptoWall version 4. In total, 57 attempted infections have been witnessed.

Figure 1 CryptoWall v4 attempted infections

The samples have reportedly originated from phishing emails; however, this has yet to be confirmed. The following two URLs have been witnessed delivering this new version of CryptoWall:

· http://46.30.43[.]183/syria.exe

· http://46.30.45[.]110/analitics.exe

Both of the above IP addresses are located in Moscow, Russia, and are hosted by Eurobyte VPS hosting provider.

CryptoWall Modifications

The CryptoWall authors have made multiple modifications to the malware in this version. Fortunately, the majority of the code base has remained consistent with version 3. As such, reverse engineers may use structures and decryption scripts that worked on previous samples. One of the more noticeable changes in the newest revision of CryptoWall is the updated ransom notification. As we can see below, it appears that the actors behind this threat have gotten a bit snarky with their verbiage.

Figure 2 New CryptoWall ransom message (HTML)

Readers might also notice a change in the color scheme, as the actors are now using a red, yellow, and grey combination. Previously, this color scheme used blue, green, and grey. It doesn’t appear as though this change has made its way to the PNG file provided to victims, which still has the same appearance as the previous CryptoWall version. Additionally, version information was removed from these messages, as previous notices specifically called the malware ‘CryptoWall 3.0’. This revision simply calls it ‘CryptoWall’.

Figure 3 New CryptoWall ransom message (PNG)

Another noticeable change is the fact that the malware will now encrypt not only the contents of targeted files, but the names of these files as well, as we can see in the screenshot below.

Figure 4 CryptoWall v4 encryption of filenames

Encryption of the filenames makes it much more difficult for victims to identify what files exactly were encrypted.

On the network communications side, the CryptoWall authors have streamlined the process a bit to minimize the number of HTTP requests made. Network encryption appears to remain consistent with previous versions, using RC4 with a key provided in the GET request (note that the key is sorted prior to decryption). However, the outbound requests to the following URLs are no longer present:




Additionally, the PNG file hosted by the C2 server is no longer provided in a separate response. Instead, it is included when the C2 server provides the RSA public key.

These changes limit the network-based exposure of the malware, making it more difficult for network-based security solutions to detect it.


As of this writing, it appears that this new version of CryptoWall is still in early use by attackers. Palo Alto Networks has witnessed 10 unique samples being used to conduct 57 attempted infections. The malware itself includes multiple modifications, including how files are encrypted as well as how network communications occur. Additionally, the content as well as the look and feel of the ransom notification have changed and appear to still be in development based on the discrepancies between the HTML files and PNG files shown to victims.

CryptoWall has been responsible for many millions of dollars in damages worldwide. The threat of ransomware has remained active for a number of years now, and shows no signs of stopping in the future. Individuals should remain vigilant about ensuring that suspicious emails are not opened and skeptical about navigating to unknown websites that are not trusted.

Palo Alto Networks WildFire customers are protected against this threat. Additionally, the latest version of CryptoWall is identified via the ‘CryptoWall’ tag in AutoFocus.