Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Updated CryptoWall 2.0 ransomware released that makes it harder to recover files


  • Please log in to reply
68 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 15 October 2014 - 05:24 PM

A new version of the CryptoWall ransomware has been released titled CryptoWall 2.0 that includes numerous "enhancements" by the malware developer that resolve issues in the previous version. CryptoWall has been a huge threat for computer users and network administrators since it has been released as it will encrypt all local data and data found on network shares. CryptoWall 2.0 now includes changes that make it better for the malware developer and harder for a victim to recover their files for free. These changes include unique wallet IDs to send ransom payments, secure deletion of original unencrypted files, and the use of their own TOR gateway. These changes are further discussed below.


cryptowall-2.0-a.jpg



A change that will benefit victims who wish to pay the ransom are the addition of unique bitcoin payment addresses for each victim. The original version of CryptoWall did not create a unique bitcoin payment address for each victim. This made it possible for people to steal other victim's payment transactions and apply them towards their own ransom. With unique payment addresses for all victims this is no longer possible.

Another change is that CryptoWall will now securely delete your original data files. Originally, CryptoWall would encrypt your data files and then just delete the original. It would then be possible to use data recovery tools to try and recover your data. Now that CryptoWall is securely deleting your data, this method will no longer work and you will need to restore from backups or pay the ransom.

The last change is that CryptoWall 2.0 now uses its own TOR gateways. CryptoWall's ransom payment servers are located on TOR, which allows the malware developers to stay hidden from the authorities. In order to connect to the server you would need access to the TOR network and for most people installing TOR was a confusing and difficult process. To solve this, CryptoWall used a Web-to-TOR gateway that would allow victims to easily access the payment server. When the Web-to-TOR gateway providers discovered that CryptoWall was using their gateways they started to blacklist their payment servers so that they could not be reached. Now that CryptoWall 2.0 uses its own TOR gateway servers they do not have to worry about being blacklisted. The current Web-to-TOR gateways operated by the CryptoWall developers are tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.

We are still analyzing this latest version and as more information becomes available we will be sure to report it. In the meantime we have updated our CryptoWall guide to include all of the new information regarding this variant.


BC AdBot (Login to Remove)

 


m

#2 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:11 PM

Posted 15 October 2014 - 07:12 PM

Wow.


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#3 Ratedgore

Ratedgore

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New-Brunswick, Canada
  • Local time:07:11 PM

Posted 16 October 2014 - 06:58 AM

This is a very serious problem ... a fear for all network admins including me ...



#4 willrun4fun

willrun4fun

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 16 October 2014 - 09:11 AM

crap.  I hate these guys.

 

I need to get that cisco ASA in sooner rather than later.



#5 dare.16

dare.16

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 16 October 2014 - 11:17 AM

...


Edited by dare.16, 17 October 2014 - 10:16 AM.


#6 shadman19

shadman19

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 16 October 2014 - 11:48 AM

Well that's just great as my laptop is infected with this.

What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.tor4pay.com/gLsmm
2.https://paytordmbdekmizq.pay2tor.com/gLsmm
3.https://paytordmbdekmizq.tor2pay.com/gLsmm
4.https://paytordmbdekmizq.pay4tor.com/gLsmm

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/gLsmm
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.tor4pay.com/gLsmm
Your personal page (using TOR): paytordmbdekmizq.onion/gLsmm
Your personal identification number (if you open the site (or TOR 's) directly): gLsmm



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:11 PM

Posted 16 October 2014 - 02:29 PM

I can ask a question unrelated to this topic?

Please create your own topic in the relevant forum if you want to ask a question unrelated to this topic.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Netflyer165

Netflyer165

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 16 October 2014 - 10:09 PM

This happened on my 2003 server on Tuesday of this week.  My server was accessed by a workstation that had/has the virus on it (which one is yet to be determined - have 50 and many remote) the issue is that my server exists as a mapped drive on the workstations WITH a drive letter.  Reading the most current FAQ's here mention that it cannot go into mapped directories that does NOT have a drive letter...  Live and learn... don't make the same mistake! 

I'm not sure what the proper mapping would be without a drive letter, but I'm sure someone here could help us all out, so if I currently have a mapped drive letter on my server as M:\NetflyersFolders, the very bad program will go from my workstation into that M folder and encrypt all those files.

So what is the better way to map \NeflyersFolders on the server \\NetsHost\NetflyersFolders ?

Hmm, of course now I can't find it here... perhaps mapped directories are doomed no matter what... :/ 


Edited by Netflyer165, 16 October 2014 - 10:33 PM.


#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:11 PM

Posted 17 October 2014 - 11:33 AM

Unfortunately there is no better way.

The best method is to give each user their own network share that only they have access to. Then create a public share that is only used for files that more than one person needs access to. This severely limits who has write access to network files and limits exposure to these types of malware. Setup this way, in a worst case scenario, a user would only encrypt their own files and the limited shared files in the shared folder.

#10 crackberries

crackberries

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:07:11 PM

Posted 17 October 2014 - 11:44 AM

The policy we are emplimenting at all of our locations is to enable UAC, and remove the them as a local admin. This does increase the phone calls to the help desk for admins.... but its not a phone call for "I have a cryptovault and it hit the server"



#11 CoreyFlies

CoreyFlies

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 17 October 2014 - 04:37 PM

The policy we are emplimenting at all of our locations is to enable UAC, and remove the them as a local admin. This does increase the phone calls to the help desk for admins.... but its not a phone call for "I have a cryptovault and it hit the server"

 

Always a good idea, but doesn't help against the Crypto* family. They run as a standard user -- don't need admin rights to get infected or for the encryption to happen. It starts with the local C: drive, then goes through all *mapped* network drives, encrypting everything the user has Modify access to.



#12 titan1

titan1

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Bengal,India
  • Local time:04:41 AM

Posted 18 October 2014 - 01:23 AM

I have a question on this topic(may be it is silly question,but I am not a geek,so please excuse my foolishness).I always buy genuine game CDs.So if such ransomware attacks my computer and starts encrypting the files,will it also encrypt the game CD while inserted in the computer for playing?

#13 zuluboy

zuluboy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 18 October 2014 - 08:22 AM

DVDs and CDs that commercial software comes on are write protected. They can't be encrypted.

#14 titan1

titan1

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Bengal,India
  • Local time:04:41 AM

Posted 18 October 2014 - 10:43 AM

Thanks.

#15 casey145

casey145

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 19 October 2014 - 02:11 PM

dammmmmmmmmmmmmmm

Just got hit with this on one of my machines... (home user ) with multiple machines.

this machine I am on is clean...

But my most important one with all my photos (semi pro photographer) is infected.

 

any news yet on how to get around it. existing solutions do not work as the individual files do not show as encrypted but when I go to open anything I am locked out of it. in the sense the program says it can not open it or it is a corrupted file.

 

help... if poss!!!


Edited by casey145, 19 October 2014 - 02:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users