Ransom.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.
The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.
Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.
This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.
- Definitions prior to September, 2016 may detect this threat as Trojan.Cryptowall.
- Ransom.Cryptodefense is a variant of Ransom.Cryptowall.
The Trojan is mainly distributed through spam campaigns, compromised websites, malicious ads, or other malware.
In Cryptowall spam campaigns, the emails usually contain a malicious attachment and include a message attempting to convince the user to download the file. The email could claim that the attachment is an invoice, an undelivered package notice, or an incoming fax report. If the user opens the attachment, then their computer will be infected with Ransom.Cryptowall.
The Trojan may also be distributed through exploit kits hosted on compromised websites or malicious ads. Some of the exploit kits that have been used to compromise users’ computers with the threat include the Rig exploit kit and the Nuclear exploit kit. Symantec has extensive IPS protections in place against these kits.
The Trojan may also arrive through other threats that have already compromised the computer, such as Downloader.Upatre
The Trojan was designed to prevent the user from accessing their files and force them to pay the attacker in order to regain access. It does this by encrypting a wide variety of files on the compromised computer using public/private key encryption with a strong 2048-bit RSA key
Once the files are encrypted, the Trojan displays a text document or HTML page with a message. The message informs the user that their files have been encrypted and gives instructions on how to obtain the decryption key needed to unlock the files. It may also warn users that the decryption key will be deleted after a certain time period to pressure the user into paying sooner. The attacker may demand hundreds of US dollars in payment and the amount may increase after a specified time period.
The message also contains a link to a website where the user can make the payment. These sites are typically hosted on the anonymous Tor network, which helps the attacker hide their identity. The threat may ask the user to download a Tor network browser in order to view the site, though newer versions of the threat do not require the user to do this. The user may have to pay using cryptocurrencies such as bitcoin to further prevent the attacker’s identity from being traced.
Even if the user pays the ransom, there’s no guarantee that the attacker will provide the decryption key needed to unlock their files.
Symantec has observed the following geographic distribution of this threat:
Symantec has observed the following global infection trends between April and October 2014:
The following Symantec detections protect against this threat family.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.