The CryptoWall ransomware had been gone for about two months, and apparently the malicious λογισμικό που επανεμφανίστηκε έχει ενημερωθεί στην έκδοση 3.0, η οποία έρχεται με γεωγραφικό εντοπισμό θέσης για να παραδίνει τα ανάλογα μηνύματα για λύτρα.
In addition to this modification, the researchers better safetys also noticed that it is supplied with many addresses that point to a decryption service located on the anonymous I2P network.
The traffic is routed via dedicated proxies from I2P which is a network that can not be accessed as regular Internet sites.
I2P is another anonymous network, similar to Tor, where traffic is encrypted many times and routed through a series of proxies that hide the user's identity.
The CryptoWall ransomware, is also known as Crowti. It is a ransomware that includes file encryption capabilities. Once it is run on a computer, it starts encrypting system data.
At the end it shows the victim one message which demands a ransom and contains instructions on how to pay the money in order to receive the key to unlock the files. The fee is usually around 500 dollars which should be paid within 168 hours, in Bitcoins.
The 3.0 version was detected by French security researcher Kafeine, as well as Microsoft specialists.
In one Publication Kafeine reports that communication with the administration and control server is encrypted with the RC4 encryption algorithm and uses the I2P protocol.
The researcher tested the new CryptoWall and noticed that the proxies did not work, and an error message appeared as the malware was trying to connect.
However, criminals are prepared and provide instructions on how to access an extra decryption service that is hidden on the Tor network.
According to Microsoft data, CryptoWall ransomware 3.0 has infected 288 uniques machineonly in two days, from January 11 to 12.