Cryptowall – the extended version of Cryptolocker

Cryptolocker is known to us for quite some time now. After successful breakdown of its distribution infrastructure, Cryptolocker is on its way of becoming yesterday’s ransomware. Although this news comes as some relief, rise of alternative ransomware still remain a concern. The latest addition to this notorious list of ransomware is Cryptowall.Cyberoam Blog

As per the initial examination, Cryptowall encrypts hard drives until a ransom is paid by the users within a defined time period. Missing the deadline would double the amount of ransom to be paid, thereby threatening the victims of destroying encryption key, in case the ransom amount is not paid.

Cryptowall is rightly called the extended version of Cryptolocker, as it holds enhanced capabilities than Cryptolocker. Unlike Cryptolocker, which encrypts .doc files, Cryptowall encrypts a wider range of files with probable extensions including *.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc. In addition to this, the attackers releasing this threat ensure that it executes on all Windows versions (Windows XP, Windows Vista, Windows 7, and Windows 8)

Technical Mechanism

The said Cryptowall Ransomware is spreading using various ways by exploiting vulnerabilities within victims systems. It might also infiltrate users’ operating systems via infected email messages and fake downloads. The most famous exploit kit being used to spread Cryptowall is RIG exploit kit, which is known since April and May. This exploit kit mostly uses malvertising as primary source of infecting the victim, sidelined with most exploits related to Flash, Microsoft Silverlights and Java Platform, all of which are browser related. The landing pages of this exploit kit have similar URI structure having constant alphanumeric string, a vertical bar and then a variable followed by alphanumeric string. An example URI for the same is – content/themes/Jungle/proxy.phpreq=xml&num=5795&PHPSSESID=njrMNruDMh7GA5zBJPPcTKVDKU7WGFn YmMzMhe6JVg|Mzg4ZDllMzc5N2NiZWRkNDBmYWZhZDNhMzE5YTc5Yzk

Prospective victims are served by one of several exploits, which identifies themselves by “req” query string. The request query to fetch one of several exploits, have the format

→ req=jar|req=xml (for java based exploit)

→ req=xap (for silverlight based exploit)

→ req=swf (for flash based exploit)

Upon successful exploitation the payload for Cryptowall is downloaded, which encrypts the files on victims system. Like other forms of ransomware, Cryptowall encrypts local files and demands a ransom for the key stored on their servers, to unlock the files. Based on the request made to serve the Cryptowall exploitation on victims’ machine, it seems to have its origin from the CryptoDefense also known as Win32.Crowti.A, which was discovered in 2013.




Cyberoam users are secure!

Cyberoam customers who have subscribed to Cyberoam’s Intrusion Prevention System (IPS) and anti-virus subscriptions will be protected against this malware. Cyberoam users are recommended to enable the Anti-virus feature along with the IPS services. Cyberoam Threat Research Labs has released IPS Upgrade 3.11.69 & 5.11.69 to identify Cryptowall’s runtime connection. The Cyberoam Intrusion Prevention System shields the network from various malicious runtime connections by matching the network traffic against the signatures in the IPS Signature Database. These signatures are developed to significantly increase detection performance and reduce false alarms.

Know more about Cyberoam network solutions at and for similar security alerts subscribe to Cyberoam Blogs.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>