Never Pay the Ransomer

CryptoWall has struck again—only this time it’s nastier than before. With a redesigned ransom note and new encryption capabilities, BleepingComputer.com’s description of the “new and improved” CryptoWall 4.0 sounds more like a marketing brochure for a well-loved software product than a ransom demand.

Like the iterations of CryptoWall that came before the 4.0 version, the only way to get your files back is to pay the ransom in exchange for the encryption key or wipe the computer clean and restore the files from an endpoint backup archive. The FBI agrees, stating “If your computer is infected with certain forms of ransomware, and you haven’t backed up that machine, just pay up.”

In addition to encrypting the data on an infected machine and demanding a ransom for the decryption key, CryptoWall 4.0 now encrypts the filenames on an infected machine too, leaving alphanumeric strings where file names once were.

The most significant change in CryptoWall 4.0 is that it now also encrypts the filenames of the encrypted files. Each file will have its name changed to a unique encrypted name like 27p9k967z.x1nep or 9242on6c.6la9. The filenames are probably encrypted to make it more difficult to know what files need to be recovered and to make it more frustrating for the victim.

Not unlike Bill Miner, infamously known as the Gentleman Robber, CryptoWall 4.0 makes a farcical attempt at politeness. CryptoWall 4.0’s ransom note reassures its victims that the infection of their computer is not done to cause harm and even congratulates its victims on becoming part of the CryptoWall community, as if it were some sort of honor.

CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place.

Ransomware is a lucrative business. It is estimated that the CryptoWall virus alone cost its victims more than $18 million dollars in losses and ransom fees from April of 2014 to June of 2015. In the spirit that being robbed doesn’t have to be a bad experience, CryptoWall 4.0 makes a bad attempt at customer service, claiming “we are ready to help you always.” Additionally,

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions. From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

In closing, the ransom note states,

…that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.

Whether hackers use CryptoLocker, CryptoWall, CTB-Locker, TorrentLocker or one of the many variants, the outcome is the same. Users have no choice but to pay the ransom—unless they have endpoint backup in place. Even with the best tech resources, decrypting the algorithm used to lock files without the key would require several lifetimes. Whereas, with automatic, continuous backup, end users will NEVER pay the ransomer because a copy of their data is always preserved.

Rachel Holdgrafer, Content Business Strategist, Code42

[Cloud Security Alliance Blog]