The first change is a longer deadline time that a payment must be made before the ransom amount increases. Originally the ransom deadline was 5 days after the time of the infection. Now they have increased the deadline to a full week.
Another change is additional TOR gateways that are used to access the CryptoWall decryption site. These TOR gateways are torforall.com, torman2.com, torwoman.com, and torroadsters.com. Using these gateways an infected user is able to access the CryptoWall decryption site without installing the TOR browser software.
Last, but not least, the ransom note filenames have changed and now extra PNG file is displayed along with the ransom notes when you login to Windows. The names of the CryptoWall 3.0 ransom notes are now HELP_DECRYPT.HTML, HELP_DECRYPT.PNG, HELP_DECRYPT.TXT, and HELP_DECRYPT.URL. Each ransom noted is described below.
HELP_DECRYPT.HTML: This HTML file will be shown every time you login to Windows and displays information on what CryptoWall 3.0 is and how to access the ransom site.
HELP_DECRYPT.PNG: This image file is displayed when you login to Windows and contains more information about CryptoWall 3.0 and how to access the ransom site.
HELP_DECRYPT.TXT: This text file will be shown every time you login to Windows and contains the same information as the other files.
HELP_DECRYPT.URL: This file will automatically load your default browser and display the CryptoWall 3.0 Decrypt Service when you login to Windows. The decryption site looks similar to the image below.
The CryptoWall Information Guide has already been updated with this information and ListCwall is still able to export the list of encrypted files. You can also discuss this topic further in our CryptoWall Support Topic.
Update 1/14/15: Kafeine has posted a story detailing how Cryptowall 3.0 also communicates over the anomymous network service I2P.