A change that will benefit victims who wish to pay the ransom are the addition of unique bitcoin payment addresses for each victim. The original version of CryptoWall did not create a unique bitcoin payment address for each victim. This made it possible for people to steal other victim's payment transactions and apply them towards their own ransom. With unique payment addresses for all victims this is no longer possible.
Another change is that CryptoWall will now securely delete your original data files. Originally, CryptoWall would encrypt your data files and then just delete the original. It would then be possible to use data recovery tools to try and recover your data. Now that CryptoWall is securely deleting your data, this method will no longer work and you will need to restore from backups or pay the ransom.
The last change is that CryptoWall 2.0 now uses its own TOR gateways. CryptoWall's ransom payment servers are located on TOR, which allows the malware developers to stay hidden from the authorities. In order to connect to the server you would need access to the TOR network and for most people installing TOR was a confusing and difficult process. To solve this, CryptoWall used a Web-to-TOR gateway that would allow victims to easily access the payment server. When the Web-to-TOR gateway providers discovered that CryptoWall was using their gateways they started to blacklist their payment servers so that they could not be reached. Now that CryptoWall 2.0 uses its own TOR gateway servers they do not have to worry about being blacklisted. The current Web-to-TOR gateways operated by the CryptoWall developers are tor4pay.com, pay2tor.com, tor2pay.com, and pay4tor.com.
We are still analyzing this latest version and as more information becomes available we will be sure to report it. In the meantime we have updated our CryptoWall guide to include all of the new information regarding this variant.