What’s next for ransomware? CryptoWall picks up where CryptoLocker left off


CryptowallWhen an international law enforcement action earlier this month knocked out the Gameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work.

Well, any celebration over CryptoLocker’s demise is certainly premature – encrypting ransomware is alive and well.

With many victims paying up, ransomware is a lucrative business for the crooks, and CryptoLocker has inspired copycats who want in on the loot.

CryptoWall and CryptoDefense

New variants of file-encrypting ransomware called CryptoWall and CryptoDefense have been popping up since at least April 2014.

SophosLabs threat researcher Anand Ajjan says CryptoWall has the same code as CryptoDefense, and only differs in the name.

If you see a message like the one below, you’re in trouble – many, if not most, of the data files on your hard drive or any connected drives will be scrambled, and it’s simply not practicable to crack the encryption used by the crooks.

(You don’t have to pay, of course. Despite losing data, police in the New Hampshire town of Durham showed a bit of public resistance to the crooks, announcing that they were “definitely not paying any ransom.”)

The message gives instructions on how to use the Tor anonymizing proxy to access a website where you can pay to unlock your files:


If you do go to the payment website, you come to a screen that shows a clock counting down the time you have left to pay the ransom.

Leave it too long and the price to decrypt your files doubles:


In broken but intelligible English, the website tells you:

We are present a special software - CryptoWall Decrypter - which is allow to decrypt and return control to all your encrypted files.

This website (blocked by Sophos) includes links to payment options, and offers you the chance to “Decrypt 1 file for FREE”:


Unlike the crooks SophosLabs found who are trying to copy CryptoLocker but without actually encrypting your files, CryptoWall’s encryption can’t be reversed without the key.

That means if your files get locked, you either have to pay up, or “do a Durham,” and kiss your files goodbye.

According to SophosLabs, a common way of spreading CryptoWall infections is through exploit kits called RIG (also known as “Goon”) and Angler.

Exploit kits are web pages containing pre-packaged exploits that can be used to deliver malware of your choice to unsuspecting victims.

Often, one group of cybercrooks will simply “rent” exploit kit services from other cybercrooks on a pay-per-install basis.

So, whereas some ransomware attacks use social engineering in spam to trick you into downloading the malware, CryptoWall can get onto your computer just by visiting a website that is rigged up with an exploit kit.

Sophos Anti-Virus (in endpoint and gateway products) detects and blocks the various components of this threat with the following names:

  • HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself.
  • Troj/ExpJS-KX: web pages containing the RIG exploit kit.
  • Mal/Generic-S and Mal/ExpJava-AF: other exploit kit pages associated with this threat.

What’s next for ransomware?

Cybercrooks are trying out new variations on the ransomware theme, including moving from Windows to mobile devices.

File-encrypting Android malware called Simplelocker encrypts files and demands a ransom, while police locker malware called Koler threatens victims with arrest if they don’t pay up.

The trend has spread to Apple devices too.

Some hackers calling themselves Oleg Pliss used stolen Apple IDs to lock iPhones, iPads and Macs using the Find My iDevice feature, with a lock screen message demanding payment to restore access to your device.

Russian police arrested a pair of hackers from Moscow who pulled this trick on Russian victims, but it’s worth assuming that others may try this scam again in the future.

There’s a loophole in this iDevice ransom attack to get around paying (if you lock your device with a passcode, you can just enter it to unlock it) – but it might not be too long before the crooks figure out other methods.

How to stay safe from ransomware

In the cat-and-mouse game between hacker gangs and law enforcement agencies, the crooks are often tricky to bring to justice.

As part of the recent CryptoLocker takedown, for example, US law enforcement formally charged a Russian man called Evgeniy Mikhailovich Bogachev with fraud and racketeering offenses, but so far he remains at large.


The FBI notes rather wryly in its Cyber’s Most Wanted pages “Bogachev was last known to reside in Anapa, Russia. He is known to enjoy boating and may travel to locations along the Black Sea in his boat. He also owns property in Krasnodar, Russia.”

Nevertheless, the security industry is doing its part, and you can too.

More about CryptoLocker and other ransomware

Sophos free tools to help keep you safe online

The Sophos Virus Removal Tool is handy for getting a “second opinion” about the files on your computer. It doesn’t replace your existing anti-virus but can operate alongside it to give you additional peace of mind. (Note that the VRT scans for malware already present on your computer – it is not a preventative anti-virus.)


The Sophos UTM Home Edition is a full version of the Sophos UTM, free for non-commercial use at home. All its business features, including a Web Application Firewall and VPN, are activated. You even get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage for friends and family on your home network. If you have children to keep safe, or are the “IT geek” in a shared house, this could be just what you need.


Sophos Free Anti-Virus and Security for Android is a great way to protect your Android with the same sort of preventative security software you expect on your desktop or laptop. There’s a threat scanner that automatically vets apps when you download them, before you run them for the first time; web and message filtering; a privacy and security advisor tool; and much more.


Image of door opening onto wall courtesy of Shutterstock.