After a brief hiatus malware developers release CryptoWall 3.0

After a brief hiatus of CryptoWall infections during the holidays, yesterday the malware developers released CryptoWall 3.0. There only changes in this version compared to the previous one are ransom note filename changes, new TOR gateways, and an extended deadline to make the payment. Other than that, CryptoWall 3.0 is the same piece of garbage we have come to hate in CryptoWall 2.0.

The first change is a longer deadline time that a payment must be made before the ransom amount increases. Originally the ransom deadline was 5 days after the time of the infection. Now they have increased the deadline to a full week.

Another change is additional TOR gateways that are used to access the CryptoWall decryption site. These TOR gateways are torforall.com, torman2.com, torwoman.com, and torroadsters.com. Using these gateways an infected user is able to access the CryptoWall decryption site without installing the TOR browser software.
 

Last, but not least, the ransom note filenames have changed and now extra PNG file is displayed along with the ransom notes when you login to Windows. The names of the CryptoWall 3.0 ransom notes are now HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, and HELP_DECRYPT.URL. Each ransom noted is described below.

HELP_DECRYPT.HTML: This HTML file will be shown every time you login to Windows and displays information on what CryptoWall 3.0 is and how to access the ransom site.
 

HELP_DECRYPT.PNG: This image file is displayed when you login to Windows and contains more information about CryptoWall 3.0 and how to access the ransom site.

HELP_DECRYPT.TXT: This text file will be shown every time you login to Windows and contains the same information as the other files.

HELP_DECRYPT.URL: This file will automatically load your default browser and display the CryptoWall 3.0 Decrypt Service when you login to Windows. The decryption site looks similar to the image below.

The CryptoWall Information Guide has already been updated with this information and ListCwall is still able to export the list of encrypted files. You can also discuss this topic further in our CryptoWall Support Topic.

Update 1/14/15: Kafeine has posted a story detailing how Cryptowall 3.0 also communicates over the anomymous network service I2P.

Thanks for the update Lawrence.

Edited by GT500, 14 January 2015 - 04:54 AM.

New Cryptowall version, yet they still can't type/write in English properly. Thank you for the update Grinler!

Maybe the virus writer is trying to throw the authorities off by intentionally speaking incorrect language. I still hate seeing new versions of these Ransomware does appear to be getting more and more popular since the success of cryptolocker. I had read somewhere that cryptowall writers may have earned close to 1 million $US. I wonder why there hasn't been a crack down on cryptowall yet by the authorities, maybe it is harder to trace with Tor and only Bitcoins.

 

Edit link here: http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html

Edited by zingo156, 14 January 2015 - 09:38 AM.

Update: Kafeine has found that CryptoWall 3.0 also communicates over the anomymous network service I2P.

http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html

Are there any available examples of the links, fake "video player updates", etc. that cause the trojan to be installed?

If you know that you cracked 2.0 highly good chances of smashing 3.0's ransomware

Edited by RobertHD, 16 January 2015 - 01:07 AM.

So I understand that there is nothing to be done with files infected by criptowal 3.0, just  wait for a new program to decrypt?

Hello , i was infected last night with the cryptowall 3.0 .What is your advice? What should i do now ?

At this point there is unfortunately nothing that can be done at this time.

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain   .

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain   .

would this be wondershare photorec?

if it is then is not working for me as i have tried it after you posted this but my pictures are still corrupt...the files are on a different HDD since i had to reinstall windows due to the severe infection.... please let me know if thats the one..

 

Thx.

 

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain   .

would this be wondershare photorec?

 

 

 

No, PhotoRec can be found here:

http://www.cgsecurity.org/wiki/PhotoRec

 

I've used this software in the past to recover files. Good luck  .  

 

 

I'm using PhotoRec (on another PC) right now to recover files from a computer that was delivered to me today which was hit with CryptoWall 3.0.   I've been able to view some of the pictures so I know it's working.   What a pain   .

would this be wondershare photorec?

 

 

 

No, PhotoRec can be found here:

http://www.cgsecurity.org/wiki/PhotoRec

 

I've used this software in the past to recover files. Good luck  .  

 

i will give it a go... thanks brother.

You're welcome  .