CryptoWall, a successor to the now-defunct CryptoLocker, targets Windows OS and spreads via spam, drive-by downloads, malvertising campaigns, and exploit kits such as Nuclear and Angler. Once it has been executed on a system, it maintains persistence, escalates privileges, destroys all system restore points, and deletes all Shadow Volume Copies to prevent file restoration before beginning the encryption process. CryptoWall 4.0 is the latest variant and operates much like its predecessors; it continues to connect to compromised websites in order to download the payload, uses RC4 encryption, and it still uses Tor to direct victims to payment instructions. However, one of the most notable differences is that CryptoWall 4.0 not only encrypts files, but it also encrypts file names to prevent victims from identifying and restoring them from backups.
- Talos Intel provides more information about CryptoWall 4.0, found here.
- The NJCCIC is not aware of any decryption tools available for the CryptoWall variants.