Το CryptoWall ransomware είχε εξαφανιστεί για περίπου δύο μήνες, και όπως φαίνεται το κακόβουλο λογισμικό που επανεμφανίστηκε έχει ενημερωθεί στην έκδοση 3.0, η οποία έρχεται με γεωγραφικό εντοπισμό θέσης για να παραδίνει τα ανάλογα μηνύματα για ransom.
In addition to this modification, security researchers also noticed that it is equipped with multiple addresses leading to a decryption service located in the anonymous I2P network.
The traffic is routed via dedicated proxies from I2P which is a network that can not be accessed as regular Internet sites.
I2P is another anonymous network, similar to Tor, where traffic is encrypted many times and routed through a series of proxies that hide the user's identity.
The CryptoWall ransomware, is also known as Crowti. It is a ransomware that includes file encryption capabilities. Once it is run on a computer, it starts encrypting system data.
At the end it shows the victim a message asking for a ransom and containing instructions on how to pay the money in order to receive the key to unlock the files. The fee is usually around $500 which should be paid within 168 hours, with Bitcoins.
Version 3.0 was spotted by French security researcher Kafeine and its experts Microsoft.
In one Publication Kafeine reports that communication with the administration and control server is encrypted with the RC4 encryption algorithm and uses the I2P protocol.
The researcher tried the new CryptoWall and noticed that the proxies did not work, and an error message appeared as the malware was trying to connect.
However, criminals are prepared and provide instructions on how to access an extra decryption service that is hidden on the Tor network.
According to Microsoft, CryptoWall ransomware 3.0 has infected 288 unique machines in just two days, from January 11 to 12.
