What's next for ransomware? CryptoWall picks up where CryptoLocker left off

Filed Under: Android, Cryptography, Featured, iOS, OS X, Ransomware, Windows

CryptowallWhen an international law enforcement action earlier this month knocked out the Gameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work.

Well, any celebration over CryptoLocker's demise is certainly premature - encrypting ransomware is alive and well.

With many victims paying up, ransomware is a lucrative business for the crooks, and CryptoLocker has inspired copycats who want in on the loot.

CryptoWall and CryptoDefense

New variants of file-encrypting ransomware called CryptoWall and CryptoDefense have been popping up since at least April 2014.

SophosLabs threat researcher Anand Ajjan says CryptoWall has the same code as CryptoDefense, and only differs in the name.

If you see a message like the one below, you're in trouble - many, if not most, of the data files on your hard drive or any connected drives will be scrambled, and it's simply not practicable to crack the encryption used by the crooks.

(You don't have to pay, of course. Despite losing data, police in the New Hampshire town of Durham showed a bit of public resistance to the crooks, announcing that they were "definitely not paying any ransom.")

The message gives instructions on how to use the Tor anonymizing proxy to access a website where you can pay to unlock your files:


If you do go to the payment website, you come to a screen that shows a clock counting down the time you have left to pay the ransom.

Leave it too long and the price to decrypt your files doubles:


In broken but intelligible English, the website tells you:

We are present a special software - CryptoWall Decrypter - which is allow to decrypt and return control to all your encrypted files.

This website (blocked by Sophos) includes links to payment options, and offers you the chance to "Decrypt 1 file for FREE":


Unlike the crooks SophosLabs found who are trying to copy CryptoLocker but without actually encrypting your files, CryptoWall's encryption can't be reversed without the key.

That means if your files get locked, you either have to pay up, or "do a Durham," and kiss your files goodbye.

According to SophosLabs, a common way of spreading CryptoWall infections is through exploit kits called RIG (also known as "Goon") and Angler.

Exploit kits are web pages containing pre-packaged exploits that can be used to deliver malware of your choice to unsuspecting victims.

Often, one group of cybercrooks will simply "rent" exploit kit services from other cybercrooks on a pay-per-install basis.

So, whereas some ransomware attacks use social engineering in spam to trick you into downloading the malware, CryptoWall can get onto your computer just by visiting a website that is rigged up with an exploit kit.

Sophos Anti-Virus (in endpoint and gateway products) detects and blocks the various components of this threat with the following names:

  • HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself.
  • Troj/ExpJS-KX: web pages containing the RIG exploit kit.
  • Mal/Generic-S and Mal/ExpJava-AF: other exploit kit pages associated with this threat.

What's next for ransomware?

Cybercrooks are trying out new variations on the ransomware theme, including moving from Windows to mobile devices.

File-encrypting Android malware called Simplelocker encrypts files and demands a ransom, while police locker malware called Koler threatens victims with arrest if they don't pay up.

The trend has spread to Apple devices too.

Some hackers calling themselves Oleg Pliss used stolen Apple IDs to lock iPhones, iPads and Macs using the Find My iDevice feature, with a lock screen message demanding payment to restore access to your device.

Russian police arrested a pair of hackers from Moscow who pulled this trick on Russian victims, but it's worth assuming that others may try this scam again in the future.

There's a loophole in this iDevice ransom attack to get around paying (if you lock your device with a passcode, you can just enter it to unlock it) - but it might not be too long before the crooks figure out other methods.

How to stay safe from ransomware

In the cat-and-mouse game between hacker gangs and law enforcement agencies, the crooks are often tricky to bring to justice.

As part of the recent CryptoLocker takedown, for example, US law enforcement formally charged a Russian man called Evgeniy Mikhailovich Bogachev with fraud and racketeering offenses, but so far he remains at large.


The FBI notes rather wryly in its Cyber's Most Wanted pages "Bogachev was last known to reside in Anapa, Russia. He is known to enjoy boating and may travel to locations along the Black Sea in his boat. He also owns property in Krasnodar, Russia."

Nevertheless, the security industry is doing its part, and you can too.

More about CryptoLocker and other ransomware

Sophos free tools to help keep you safe online

The Sophos Virus Removal Tool is handy for getting a "second opinion" about the files on your computer. It doesn't replace your existing anti-virus but can operate alongside it to give you additional peace of mind. (Note that the VRT scans for malware already present on your computer - it is not a preventative anti-virus.)


The Sophos UTM Home Edition is a full version of the Sophos UTM, free for non-commercial use at home. All its business features, including a Web Application Firewall and VPN, are activated. You even get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage for friends and family on your home network. If you have children to keep safe, or are the "IT geek" in a shared house, this could be just what you need.


Sophos Free Anti-Virus and Security for Android is a great way to protect your Android with the same sort of preventative security software you expect on your desktop or laptop. There's a threat scanner that automatically vets apps when you download them, before you run them for the first time; web and message filtering; a privacy and security advisor tool; and much more.


Image of door opening onto wall courtesy of Shutterstock.

, , , , , , , , ,

You might like

17 Responses to What's next for ransomware? CryptoWall picks up where CryptoLocker left off

  1. softwareforparentalcontrol · 440 days ago

    "do a Durham" ???

  2. Fjardeson · 440 days ago

    I wonder if there's a way to exploit the "Decrypt 1 File For Free" to obtain the key?

    • Paul Ducklin · 439 days ago

      I can imagine that there could be (though I strongly suspect there isn't) a hole to let you exploit "1 for free" to decrypt multiple files, one by one.

      But I assume that this "feature" lets you upload a file to them, they send if off to some back-end server where it gets decrypted, and then they send it back. So you are still no closer to the key than when encryption started.

      There was once ransomware that made a mistake in coding so that each local file ended up encrypted with the same pseudo-random cipher stream (the crooks forgot to use a new random initialisation vector for each file). So with one encrypted file for which you did have a backup you could do a "known plaintext" attack and recover the key.

      Not in this case...

      • Sootie · 439 days ago

        Tempting (though probably not practically possible) to send them a file which once decrypted then installs cryptolocker on their back end server and demands a random back from them.

  3. Wanderer06 · 440 days ago

    You mention Sophos UTM at the end of the post, that's something I have (unsuccessfully) tried three times in the past 2 days to download. I've already checked my spam folder and inbox more times than I care to tally.

    I wanted to use it both as part of an assessment task in my class (Essential Firewall) and also as a gateway for my family's home network (Home Edition) but alas, the promised download instructions never came.

    Another thing I noticed is that there's something odd with your SSL certificate on the support forum for the Home Edition which sends users off-site to a website with a similar URL to a (seemingly) different company.

    Lastly, the download page for "Sophos UTM Home Edition" asks for a company name!

    • Paul Ducklin · 439 days ago

      Ouch. I just tried it myself, and whereas the email usually arrives within seconds, I'm still waiting 15 minutes later. That seems like a boo-boo. I will report it at once.

      As an emergency, you can get the installer ISOs here:


      That gives you a 30-day evaluation licence, so you'll still need the reply from our website with your Home Edition licence code. (You don't need to reinstall - just enter the licence code when it arrives - so we'll collectively have a month to sort it out :-)

      As for the "astaro.com" domain name: Astaro is the name of the company that originally created what is now the Sophos UTM; it's been part of Sophos for a year or three now.

      Oh, and asking for a company name on the Home Edition screen is a bit weird. I guess we could leave it there (you can tell us if you like) but make it non-compulsory.

      Sorry about the hassles...I hope they'll be sorted out soon.

      • Steve · 439 days ago

        Whenever I'm asked for a company name when trying to access something that I'm not seeking for business use, I simply enter a single dot. That always seems to make the computer gods happy.

        • Paul Ducklin · 438 days ago

          I think the OP's point in this case is that the Home Edition is free *except for company use*, so by rights it's the one field you really ought to leave blank (but you can't).

          A dot will do fine. A smiley would work, too. So would a WITTY REMARK ALL IN CAPS, I suppose.

  4. Philip · 438 days ago

    Where can I find on Sophos' website the association between detection name and virus name? For example:

    "HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself."

    In the years I've been using Sophos, I've found the Threat database to be lacking the connection between what Sophos calls what it detects and names that are more easily recognized elsewhere.

    • Paul Ducklin · 438 days ago

      I hear you.

      One answer to your question, and I am not being facetious here, is that for widely-known threats, we try to publish that generic-to-specific naming correspondence in Naked Security articles like this one, where readers only get to the naming information after a fair amount of clarification of exactly what malware sample is under discussion.

      We could, I suppose, start listing specific malware families (at least, well-known ones) in the "aliases" section of the Threat Database...though one problem with that is that as our generic detection of any particular malware category is tuned and improved, the list of "aliases" it detects and prevents could become huge, and confusing in its own right.

      As I said, that's one reason why we usually try to put generic-to-specific mappings in some kind of careful context, like a Naked Security article.

      We'll pass on your comment, though...thanks for sharing it.

  5. ctruex · 436 days ago

    I'm curious about prevention. I have a Mac, but I'm also not foolish enough to think that this makes me safe from threats. I have a dedicated external hard drive for updates, using Time Machine. If I were hit by one of these programs, wouldn't it also encrypt my external? Am I understanding that correctly? I don't have the online storage capability to backup to the cloud, and plugging in, backing up, and unplugging once a day at least sounds like the kind of thing that simply never gets done.

    • Anonymous · 377 days ago

      We had a client that was using an external hard drive for backups and, yes, it did encrypt all of the files on that drive as well.

      • Anonymous · 343 days ago

        If you have a network fileshare connected, that could potentially get encrypted too: they're all just collections of files to a program that operates at the file level.

        (And yes, this does make the ending of the Sandra Bullock movie The Net, in which a Mac virus wipes out a networked mainframe, somewhat plausible.)

  6. Greg Richardson · 419 days ago

    One of our clients ended up with Cryptowall today. We were able to get the files back by right clicking on the folder, restore previous version and select a date prior to the change date on the encrypted files. The client only lost 7 days of files.

  7. Melanie Blank · 222 days ago

    I think I will stick with my flash drive back-ups and always remove the flash drive when I'm done. I'm considering Carbonite, but I'm wondering how safe that is? Thanks, from a newbie to this blog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.