1. Symantec/
  2. Security Response/
  3. Ransom.Cryptowall


Risk Level 1: Very Low

June 19, 2014
September 2, 2016 9:46:31 PM
Systems Affected:
Ransom.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.

The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.

Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.

This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.

  • Definitions prior to September, 2016 may detect this threat as Trojan.Cryptowall.
  • Ransom.Cryptodefense is a variant of Ransom.Cryptowall.

The Trojan is mainly distributed through spam campaigns, compromised websites, malicious ads, or other malware.

In Cryptowall spam campaigns, the emails usually contain a malicious attachment and include a message attempting to convince the user to download the file. The email could claim that the attachment is an invoice, an undelivered package notice, or an incoming fax report. If the user opens the attachment, then their computer will be infected with Ransom.Cryptowall.

The Trojan may also be distributed through exploit kits hosted on compromised websites or malicious ads. Some of the exploit kits that have been used to compromise users’ computers with the threat include the Rig exploit kit and the Nuclear exploit kit. Symantec has extensive IPS protections in place against these kits.

The Trojan may also arrive through other threats that have already compromised the computer, such as Downloader.Upatre or Trojan.Zbot.


The Trojan was designed to prevent the user from accessing their files and force them to pay the attacker in order to regain access. It does this by encrypting a wide variety of files on the compromised computer using public/private key encryption with a strong 2048-bit RSA key.

Once the files are encrypted, the Trojan displays a text document or HTML page with a message. The message informs the user that their files have been encrypted and gives instructions on how to obtain the decryption key needed to unlock the files. It may also warn users that the decryption key will be deleted after a certain time period to pressure the user into paying sooner. The attacker may demand hundreds of US dollars in payment and the amount may increase after a specified time period.

The message also contains a link to a website where the user can make the payment. These sites are typically hosted on the anonymous Tor network, which helps the attacker hide their identity. The threat may ask the user to download a Tor network browser in order to view the site, though newer versions of the threat do not require the user to do this. The user may have to pay using cryptocurrencies such as bitcoin to further prevent the attacker’s identity from being traced.

Even if the user pays the ransom, there’s no guarantee that the attacker will provide the decryption key needed to unlock their files.

Geographical distribution
Symantec has observed the following geographic distribution of this threat:

Symantec has observed the following global infection trends between April and October 2014:

Symantec protection
The following Symantec detections protect against this threat family.

Heuristic detections
Reputation detections

Antivirus Protection Dates

  • Initial Rapid Release version June 19, 2014 revision 034
  • Latest Rapid Release version September 22, 2016 revision 024
  • Initial Daily Certified version June 20, 2014 revision 002
  • Latest Daily Certified version September 22, 2016 revision 025
  • Initial Weekly Certified release date June 25, 2014
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Laura O'Brien, Jeet Morparia

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube