The updated CryptoWall 3.0 ransomware variant in the wild

Wednesday 11 March 2015, 9:48PM
By John Viser


Cybersecurity experts’ anticipations of the notorious CryptoWall ransomware going extinct have vanished as its comeback in mid-January 2015 became obvious. Moreover, this fierce sample of malware is now equipped with extra features relating to the way it manifests itself on the infected computer and the specificity of establishing connection with the command-and-control server. Another significant upgrade has to do with propagation workflow, where the tactic of embedding exploits in the dropper has given in to the direct use of exploit kits, in which case broader privileges can be obtained on the compromised PC.

Due to the sophisticated spreading patterns employed, CryptoWall 3.0 infects a system in a silent fashion – there are no alerts or other apparent indications whatsoever on the infiltration phase. That is a critical characteristic for this type of malware because it needs time advantage to scan the computer in the background. All drives that have a letter assigned to them are scanned for files with the prevalent extensions corresponding to the victim’s personal documents, photos, videos, presentations and the like. The ransomware then encrypts the data with RSA-2048, which is a very strong encryption algorithm. It takes enormous computational power to crack this crypto, so it isn’t really possible for the moment, at least within the time frame provided by this virus.

Once the encryption job is done, CryptoWall 3.0 displays the HELP_DECRYPT file which contains instructions on what the user needs to do for recovering the personal information. The victim is told to pay the ransom in Bitcoins, the sum amounting to approximately $500. The ransom deadline is 7 days, or 168 hours. According to the alerts, the remotely stored private key and the decrypt program will be available within the specified period, and the ransom doubles unless paid on time.

The makers of this ransomware have also adopted some changes in communication channels with the C&C server, using new Web-to-Tor gateways, some examples of which are, and This further enhances the anonymity component of the hackers’ activity.

The biggest challenge with regard to CryptoWall 3.0 is to restore the files it encrypted, whereas uninstalling the virus itself is not much of a problem. The security industry has not come up with an applicable way to decrypt the data so far, but some workarounds do exist. These tips and tricks are provided on researchers-run sites, reflecting long-term analysis of this ransomware and the underground infrastructure behind it.