CryptoWall ransomware rises again with Tor and I2P

A new version of the file-encrypting CryptoWall ransomware has emerged, and it has Tor and Invisible Internet Project (I2P) in tow.

CryptoWall back from the dead with Tor and I2P
CryptoWall back from the dead with Tor and I2P

The original version of CryptoWall was discovered in November 2013 but just over one year on – and approximately 40,000 UK infections later, the malware's distribution ground to a halt.

However, in the last week, there have been signs that the ransomware has returned with a vengeance, with newer versions that run on the Tor and I2P anonymity networks so as to evade detection, and shield communications between the victim and the malware's controller.

Just last week, security researchers at Cisco's Talos team revealed the use of Tor with CryptoWall version 2.0 since the autumn while this Wednesday, French malware researcher ‘Kafeine' confirmed the existence of an updated version – CryptoWall 3.0 – that uses I2P in the command and control (C&C) infrastructure when running the malware variant in a test environment.

CryptoWall 3.0 also differs from its predecessor in offering different filenames, new Tor gateways (torforall.com,torman2.com, torwoman.com, and torroadsters.com – all of which can be used to access the decryption site without having to install Tor) and an extended deadline.

“It seems communication with the C&C are RC4 encoded  (key seems to be alphanum sorted path of the POST ) and using i2p protocol ,” said Kafeine.

I2P has been on the rise recently in the wake of the FBI/Europol's ‘Operation Onymous'  in November which saw the takedown of Silk Road 2.0 and various other darknet sites. It later transpired, however, that most darknet vendors simply moved onto new addresses, some of which are hosted on I2P. Silk Road Reloaded is one of these sites.

Microsoft has confirmed the resurgence of the ransomware but says that the links to the decryption instructions – which are received after the victim has paid the ransom – are still hosted on Tor. Kafeine, however, says that while the sites act as Tor gateways – meaning that the proxy servers are supposed to connect the browser to the decryption instruction page– the user's traffic is passed through I2P.

At this point, the malware is mainly targeting US and European users through spam emails,  drive-by-downloads that exploit web browser vulnerabilities and previously installed malware.

Users are asked for a 2.5 Bitcoin payment (£350), with the language of these warning messages often being tailored by where the victim is based. Kafeine, for example, received a message in French.

Speaking to SCMagazineUK.com shortly after the news broke, Kafeine said that he expects more threat actors to come to the party.

“CryptoWall was spread in affiliate mode. I don't think they will change that model so even if there is only one or two actors right now it's a fresh "re start" - we should see more actors joining (or joining again) the "party",” said the researcher.

Mark James, security specialist at ESET, added in an email to SC that there are no significant changes. 

“Apart from file name changes and an extra PNG file there are only a few changes in comparison to CryptoWall 2.0. The end user now gets a little longer to pay before the ransom starts to increase, up from five to seven days. We also see some new Tor gateways being used but apart from that nothing major different at all,” said James.

Page 1 of 2