Each security vendor uses their own naming conventions to identify various types of malware
, like other forms of ransomware, is also typically spread through social engineering
and user interaction...i.e. opening suspicious emails
and opening an infected word docs with embedded macro viruses
and sometimes via exploit kits
. It can be disguised in email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers. Attackers will use email addresses and subjects (i.e. example
) that will entice a user to read the email and open the attachment.US-CERT
advises there have been reports that some victims encounter the malware after clicking on a malicious link within an email or following a previous infection from botnets such as Zbot/Z-bot (Zeus)
which downloads and executes the ransomware as a secondary payload from infected websites. Other types or crypto malware have been reported to spread on YouTube ads
, via browser exploit kits
and drive-by downloads
when visiting compromised web sites.
From the reddit.com article...
CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
The only evidence of anything wrong is the DECRYPT_INSTRUCTIONS.txt and .htm files on the respective workstations
CryptoWall is essentially a new variant of CryptoDefense.
- ransom is $1000 USD.
- leaves files named DECRYPT_INSTRUCTION:
CryptoWall 2.0 uses its own TOR gateways
...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files
There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense
Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.
The BC Staff