CryptoWall 4.0: Why the Ransomware Presents a Bigger Threat than Its Predecessor

CryptoWall 4.0 is a harder ransomware to protect against than its predecessor, CrptoWall 3.0, according to Heimdal Security. This is pretty serious news, considering CryptoWall 3.0 has raked in an estimated $325 million from hundreds of thousands of victims by demanding ransom payments in bitcoin since the ransomware debuted less than a year ago.

Andrfa Zaharia, a security and marketing/communication specialist at Heimdal Security, offers an overview on why the new strain is a more dangerous threat and offers some pointers on how to avoid becoming a victim. Following is a summary of this overview from the Heimdal blog.

Code Has Been Enhanced

The CryptoWall code has been enhanced in several ways. It includes an advanced malware dropper mechanism to avoid antivirus detection. It possesses improved communication capabilities, including a modified protocol enabling it to evade detection, even by second generation firewall systems. The code lowers detection rates significantly in comparison to CryptoWall 3.0.

Malware creators have additionally developed changes in the text method that is dropped on infected systems. The files are now referred to as:


An example of such a text is as follows:

\C: \ Documents and Settings \ User \ Desktop \ HELP_YOUR_FILES.TXT

The condescending message includes an FAQ directing answers to the victim.

Heimdal 2

CryptoWall 4.0 encrypts more than the data in the files; it also encrypts the file names. This technique confuses the victim further. It also enhances the pressure to retrieve the data faster. This raises the “success” ratio of the number of victims who see the message compared to the number who pay the ransom.

Cryptoware Creators Get Professional

Cryptoware creators behave as if they run software firms. They enhance their code to make it more effective in finding vulnerabilities. They address IT security market trends in making the ransomware highly undetectable, and they use social and emotional triggers to enhance their return on investment.

What has stayed the same is that CryptoWall 4.0 still uses TOR to guide victims to make payments. This allows them to ransom their data by paying for a decryption key in a way that does not undermine the anonymity of attackers.

Heimdal 3

CryptoWall 4.0 also connects to a sequence of compromised web pages to download as pay onto the target system. The pages connect the infected system to a botnet and use it to spread malware to more computers.

Also read: Hackers use cryptoware against police for bitcoin ransom

Infrastructure Unchanged From 3.0

The infrastructure is not changed from CryptoWall 3.0, and the antivirus detection for the new variant is very low.

CrytoWall 4.0 spreads by means of drive-by attacks and spam mail, its preferred main attack vectors due to the low cost.

Once data is encrypted, there is not much that can be done. Options include:

  • Format the system and restore information from a backup.
  • Pay the ransom and get a decryption key. This does not guarantee you will get the decryption key, and Heimdal does not recommend paying the ransom.

How To Prevent Infection

To prevent an infection, Heimdal recommends:

  • Keep the system up to date and install the latest updates.
  • Back up data frequently.
  • Don’t keep important information on the computer.
  • Don’t open spam emails or emails from unknown senders.
  • Don’t open attachments from suspicious emails.
  • Use products that can detect and block ransomware.

Featured image from Shutterstock. Additional images from Heimdal Security.

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.