CryptoWall ransomware rises again with Tor and I2P

News by Doug Drinkwater

A new version of the file-encrypting CryptoWall ransomware has emerged, and it has Tor and Invisible Internet Project (I2P) in tow.

The original version of CryptoWall was discovered in November 2013 but just over one year on – and approximately 40,000 UK infections later, the malware's distribution ground to a halt.

However, in the last week, there have been signs that the ransomware has returned with a vengeance, with newer versions that run on the Tor and I2P anonymity networks so as to evade detection, and shield communications between the victim and the malware's controller.

Just last week, security researchers at Cisco's Talos team revealed the use of Tor with CryptoWall version 2.0 since the autumn while this Wednesday, French malware researcher ‘Kafeine' confirmed the existence of an updated version – CryptoWall 3.0 – that uses I2P in the command and control (C&C) infrastructure when running the malware variant in a test environment.

CryptoWall 3.0 also differs from its predecessor in offering different filenames, new Tor gateways (,,, and – all of which can be used to access the decryption site without having to install Tor) and an extended deadline.

“It seems communication with the C&C are RC4 encoded  (key seems to be alphanum sorted path of the POST ) and using i2p protocol ,” said Kafeine.

I2P has been on the rise recently in the wake of the FBI/Europol's ‘Operation Onymous'  in November which saw the takedown of Silk Road 2.0 and various other darknet sites. It later transpired, however, that most darknet vendors simply moved onto new addresses, some of which are hosted on I2P. Silk Road Reloaded is one of these sites.

Microsoft has confirmed the resurgence of the ransomware but says that the links to the decryption instructions – which are received after the victim has paid the ransom – are still hosted on Tor. Kafeine, however, says that while the sites act as Tor gateways – meaning that the proxy servers are supposed to connect the browser to the decryption instruction page– the user's traffic is passed through I2P.

At this point, the malware is mainly targeting US and European users through spam emails,  drive-by-downloads that exploit web browser vulnerabilities and previously installed malware.

Users are asked for a 2.5 Bitcoin payment (£350), with the language of these warning messages often being tailored by where the victim is based. Kafeine, for example, received a message in French.

Speaking to shortly after the news broke, Kafeine said that he expects more threat actors to come to the party.

“CryptoWall was spread in affiliate mode. I don't think they will change that model so even if there is only one or two actors right now it's a fresh "re start" - we should see more actors joining (or joining again) the "party",” said the researcher.

Mark James, security specialist at ESET, added in an email to SC that there are no significant changes. 

“Apart from file name changes and an extra PNG file there are only a few changes in comparison to CryptoWall 2.0. The end user now gets a little longer to pay before the ransom starts to increase, up from five to seven days. We also see some new Tor gateways being used but apart from that nothing major different at all,” said James.

“The changes themselves will not increase the number of people being infected but these types of infections are very virulent and make news more often because of their damaging nature. People get infected on a daily basis and often the infection is dealt with or removed and they carry on with their day-to-day lives. However when malware changes from infection to encryption like CryptoWall often the results are terminal, but they do not need to be.

“Simple “point in time” backups will help in almost all cases of ransomware infections, but don't be confused around backup and replication. If you replicate your data from one drive to another then your encrypted files will just overwrite your good ones, so make sure its periodic backups that you can go back to. You may lose a few hours work but it's better than paying a ransom or losing everything."

James added that computer users can use Microsoft's own Shadow Copy (Windows 7, 8 XP SP2 and Vista) snapshots to restore encrypted files if they are local, and urged them to keep their anti-virus software up-to-date. Furthermore, turn to applications like ‘Cryptoprevent' to block EXE files from being run in certain areas. Others advised users to back up files to a storage device (perhaps in the cloud) that is disconnected from both the computer and the network.

TK Keanini, CTO at Lancope, said in an email to SC: "Like all threats, as they advance, the game is not getting into a system, the game is to evade detection.  The evolution of CryptoWall follows this same pattern in that with 2.0 the command and control infrastructure used the Tor network and the major shift with 3.0 appears to be a move from Tor to I2P.  Both are effective at anonymising network traffic but the techniques are slightly different.  I2P was designed and optimised for hidden services so performance should be better for CryptoWall 3.0 and other darknet market places using I2P.  

“CryptoWall will continue to grow and evolve so more and more people will be compromised.  Some unfortunate few may be compromised multiple times. The most effective means of combating this threat is to ensure you are backed up."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews