Crowti update – CryptoWall 3.0

After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits.

The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware:

Figure 1. Sudden spike from CryptoWall 3.0 activity this month.

Figure 1.  Sudden spike from CryptoWall 3.0 activity this month.

It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names: 

  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.PNG
  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.URL

The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

As far as coverage goes, Microsoft detects this threat and encourages everyone to always have Microsoft security software up to date, and enable Microsoft Active Protection Service Community (MAPS).

Customers using MAPS can take advantage of Microsoft's cloud protection and are protected with the latest threat variants. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.  This is also referenced in our previous blog on Crowti, 'The dangers of opening suspicious emails: Crowti ransomware', which discusses other steps that users can take to protect their PC.

MAPS window

Marianne Mallen

MMPC


Microsoft Malware Protection Center
Secure Hunter Anti -Malware