It’s only been 2 months since the latest CryptoWall 3.0 spam campaign, which used Google Drive in a drive-by campaign to abuse vulnerabilities in various popular third-party products and encrypt the victim’s data, holding it hostage for ransom.

Now the cyber criminal group behind it is doing it again: a new spam campaign has been released last night, coming from arbitrary email addresses. The malicious payload is delivered via two email attachments.

The malicious email writes as follows:

From: [spoofed / fake return address]

Subject Line:
RE: Summary
New Fax: ID 37217


If the attached document is opened by an unsuspecting recipient, and macros in the document is activated, the malicious payload will connect to a download server from which it will pick up the first phase of a CryptoWall 3.0 infection via http://46.30.43 [.] 146 /666.jpg (sanitized by Heimdal Security).

This component is decrypted in memory, leaving no trace and going undetected by tradition antivirus solutions. It then produces a long list of compromised domains. Here is a small sample of these domains (sanitized by Heimdal Security):

http://eshraqatee [.] com / wp-includes / css / ap1.php
http://essayhub [.] org / css / fonts / ap5.php
http://essayspro [.] com / css / fonts / ap4.php
http://eugeniobonato [.] com / wp-content / uploads / js_composer / ap3.php
http://europe-academy [.] net / wp-admin / user / ap2.php
http://evolvingcareers [.]
http://ewineco [.] com / wp-admin / network / ap5.php
http://externalbatterycase [.] com / wp-admin / js / ap4.php
http://fabconcepts [.] net / wp-content / plugins / indonez-shortcodes / js / ap3.php
http://fan-out [.] com / wp-includes / fonts / ap5.php
http://fenonsilver [.] com / controller / catalog / ap2.php
http://fiftyschmifty [.] com / ap1.php
http://fiiwin [.] com / wp-admin / maint / ap4.php
http://focusmusicktv [.] com / ap3.php

Heimdal has already blocked more than 60 domains which are related to this campaign.

We have dedicated an in–depth article to CryptoWall and its subsequent strains, which you may find useful, should you want to explore this subject further.

Just like other CryptoWall 3.0 variants and other second generation malware, this strain uses deceiving techniques to keep below the radar, having a low antivirus detection rate: 6/56 on VirusTotal.

cryptowall 3.0 september 2015 virustotal

Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.


Proceed with caution: Ransomware threats ahead!


Because most home users often rely exclusively on their antivirus product to protect them from second generation malware, such as CryptoWall 3.0, we have published this week a material that highlights the tactics that malware creators use in order to make their infections and infection vectors capable of evading detection. These 10 Reasons Why Your Traditional Antivirus Can’t Detect Second Generation Malware may help you better understand how malware infections happen and, consequently, enable you to get better protection for your PC.

It’s also important to mention that elderly persons or other vulnerable categories may become easy targets in spam campaigns such as this one, because they are often unable to identify a spam or a phishing email that might contain infected attachments. These vulnerable categories are also more prone to social engineering techniques, which cyber criminals seldom use to trick the victims into performing certain actions or disclosing confidential information.

Also, keep in mind that the main targeted geographical regions are selected based on revenue, because cyber criminals want to achieve maximum effectiveness with this business:

These ransomware campaigns mainly target victims in relatively rich countries, because users in those countries are the most willing to pay the ransoms, according to statements made on underground forums that host discussions on the effectiveness of ransomware campaigns.

Source: McAfee Labs Threats Report 2015

Companies are not safe form this threat either, especially considering that Chief Information Security Officers around the world are really starting to feel worn out by these persistent and frequent ransomware threats. A CryptoWall infection could be especially dangerous since time to detection can reach up to two days, according to the Cisco Midyear Security Report 2015.

time to detection cryptowall infection

The trends related to ransomware do not paint an optimistic picture. According to the aforementioned McAfee Labs Threats Report 2015:

McAfee Labs has seen a 165% rise in ransomware in Q1 [of 2015], especially with the family CTB-Locker, along with new versions of CryptoWall, TorrentLocker, and spikes of BandarChor.

ransomware statistics mcafee labs

Moreover, more ransomware strains are surfacing in attacks than last year or ever before:

new samples of prominent ransomware families mcafee labs 2015

And, as cyber security researchers constantly warn, ransomware such as CryptoWall 3.0 is dangerous and effective in attaining its malicious purposes due to its capacity to morph and avoid detection by traditional antivirus products.

From the original CryptoWall to the latest release, Version 3, many functions have changed. The malware now exclusively uses Tor for payment, and it communicates in different ways: via hardcoded and obfuscated control server URLs or a peer-to-peer network based on the I2P protocol. Many other ransomware families have used the name CryptoLocker to mislead victims and the security industry. CryptoWall did so as well, but after a time began to use its own name.

Like CTB-Locker, the latest CryptoWall campaigns are also trying to bypass security mechanisms by using an obfuscated JavaScript attachment in an email, although CryptoWall downloads .jpeg files instead of .zip files. However, there are no actual pictures to fool victims, just ransomware executables.

Source: McAfee Labs Threats Report 2015

Morten Kjaersgaard, Heimdal Security CEO, recommends using extreme caution:

The situation around Cryptoware is becoming very serious. We see new campaigns rolling out almost daily and end users need to be very alert and use a lot of precaution. Campaigns are delivered in difficult to spot spam campaigns, but also from legitimate websites, who serve hackers’ purposes of delivering malware.

The adversary of the every day user is skilled, focused and commercially oriented. Users will need to be in a higher state of awareness and have increased focus on the security aspects of their PC.

But know this: you are not defenseless against ransomware threats. There are security safeguards you can take in order to protect yourself from ransomware attacks, such as CryptoWall 3.0 spam campaigns, and we put them together in a PDF you can download and keep for future reference:

Ransomware Explained. What It Is and How It Works

Here Are the Free Ransomware Decryption Tools You Need to Use

The Anti-Ransomware Protection Plan You Need to Follow Today


Leave a Reply

Your email address will not be published. Required fields are marked *