CryptoWall ransomware had disappeared for about two months, and as it appears, the malware that reappeared has been updated in the 3.0 version, which comes with a geo-location to deliver the corresponding ransom messages.
In addition to this modification, security researchers also noticed that it is equipped with multiple addresses leading to a decryption service located in the anonymous I2P network.
The traffic is routed via dedicated proxies from I2P which is a network that can not be accessed as regular Internet sites.
I2P is another anonymous network, similar to Tor, where traffic is encrypted many times and routed through a series of proxies that hide the user's identity.
The CryptoWall ransomware, is also known as Crowti. It is a ransomware that includes file encryption capabilities. Once it is run on a computer, it starts encrypting system data.
In the end, he displays a message asking for a ransom to the victim and contains instructions on how to pay the money in order to receive the key to unlock the files. The fee is usually around 500 dollars which will be paid within 168 hours, with Bitcoins.
The 3.0 version was detected by French security researcher Kafeine, as well as Microsoft specialists.
In one Publication Kafeine reports that communication with the administration and control server is encrypted with the RC4 encryption algorithm and uses the I2P protocol.
The researcher tried the new CryptoWall and noticed that the proxies did not work, and an error message appeared as the malware was trying to connect.
However, criminals are prepared and provide instructions on how to access an extra decryption service that is hidden on the Tor network.
According to Microsoft, CryptoWall ransomware 3.0 has infected 288 unique machines in just two days, from January 11 to 12.