lolloj - Fotolia

CryptoWall 3.0: Ransomware returns, adopts I2P

Shortly after CryptoWall began using TOR to conduct transcations, a new version of the ransomware, dubbed CryptoWall 3.0, has begun using I2P.

After a short turnaround, CryptoWall is back and renovated with a new version that further extends its usage of anonymous peer-to-peer networks.

CryptoWall 2.0 was revealed by Cisco Talos just a few weeks ago, and was the first version to use TOR for anonymity. Mere days later, Microsoft and French malware researcher "Kafeine" confirmed a new version, dubbed CryptoWall 3.0.

Little has changed in the user interface of the ransomware, according to a Microsoft TechNet post, and the behavior and notification file names have remained the same.

"The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network," the TechNet post stated.

While ransomware's cryptic activities are the same, CryptoWall 3.0 (aka Crowti) now employs another anonymous peer-to-peer network -- I2P -- in an apparent effort to ensure quicker and easier payoffs.

Kaffeine was the first to report that CryptoWall was using I2P in addition to TOR. "It seems communication with the C&C [command & control server] are…using I2P protocol," he wrote in a blog post last week.

Stu Sjouwerman, CEO of KnowBe4, a security awareness training firm based in Clearwater, Fla., said although he is reluctant to dub this update a "new version" of the ransomware, he did acknowledge the addition of I2P makes for a more friendly user experience.

"The I2P makes it easier on the end-user," Sjourman said. "It really is a customer service/user interface kind of improvement more than anything else."

The erstwhile CryptoWall required users to install a TOR browser in order to communicate with the hackers. This TOR-layered communication ensured the perpetrators' anonymity, but it was stressful for the typical uninformed web-user (such as those tricked into the scheme in the first place) to operate. With I2P, Sjouwerman said, the process is simplified.

"You don't have to install a separate TOR browser anymore, which is a hassle," Sjourman said. "People don't understand how to do it. [By employing I2P] they make it very easy to pay the ransom."

I2P, according to Sjourman, is more basic: just install and run. And since the work is essentially done for them, the victims are more likely to comply and pay the ransom quickly. And that's a good thing, he said, for the cybercriminals behind CryptoWall.

"CryptoWall has very good customer service," Sjouwerman said, adding that KnowB4 has consulted several victims of the CryptoWall ransomware. "They are focused on reputation. All 15 people that we have paid for, within two hours they had their decryption key and started to get their files back."

While other encryption virus "services" demand a ransom with no guarantee of unencrypting your files, CryptoWall has proven to be notoriously reliable in saving customer files once the ransom is paid out.

Ransomware criminals are concerned about their reputation, Sjouwerman said, because if word got around that the decryption keys or payment process did not work, then ransomware victims would likely abandon hope of regaining files and would not pay ransoms.

Anonymity under fire

TOR and similar anonymity tools like I2P have come under fire recently for providing a cloak for criminal activities such as money laundering, child pornography, and illicit drug marketing. While CryptoWall's use of I2P may increase the negative attention on these anonymity tools, Sjouwerman said it also gives I2P exposure and shows that it's reliable.

"To some degree the fact that criminals use it is a positive thing, because people will know that it is there," Sjouwerman said. "The tool can be used for either good or bad. You can use these tools for research to stay anonymous, which is valid."

While anonymous P2P networks are used for legitimate purposes, such as reporters communicating with confidential sources or people living in countries with censorship laws and restricted Internet access, they're also rife with criminal activity. Kaspersky Lab recently announced the discovery of hundreds of botnets and darknet markets within Tor.

Ransomware threat growing

Phishing emails are not the only source of such ransomware, either. Sjouwerman said exploit kits on existing legitimate websites are used to scan user's computers for legacy software that hasn't been updated to check for exploitable vulnerabilities; the exploit kits then deliver drive-by downloads with ransomware. KnowBe4 and other security awareness programs focus on training users to avoid such attacks.

While an older version of CryptoLocker had a flaw that could be used to retrieve encrypted files, Sjouwerman said, it is almost impossible to recover encrypted files these days, due to the innovation on the hackers' side.

As ransomware becomes more popular and reliable among cybercriminals, Sjouwerman anticipates attackers will go after email servers – specifically, penetrating email servers and infecting them rather than relying on simple phishing tactics. Sjouwerman said that in the last year, enterprises have become more aware of phishing attacks and ransomware, as well as how to combat them, but he also noted that it will be a challenge for enterprises to keep up with the evolving threats.

Next Steps

Learn how security researchers figured out how to beat CryptoLocker ransomware

Dig Deeper on Malware, virus, Trojan and spyware protection and removal