Ransomware is malware that encrypts documents, photos, and other files on a PC and requires an anonymous payment to obtain a key for unlocking the encryption code.  Users are given a timeframe such as 48 hours to pay the ransom before files are permanently destroyed. 

A new variant that many security firms call “4.0” has emerged, while the malware authors internally document this version as CryptoWall 3.01.  One major new feature is that file names also become encrypted along with the data which may make it difficult for infected users to know exactly what might be lost if payment is not rendered in time.


Earlier this week, I saw the most recent variant of CryptoWall as a payload delivered by the Angler exploit kit (EK).  Many people, including me, have been calling this new variant “CryptoWall 4.0.”  However, version 4.0 is not the most accurate term for this ransomware.  So why are we calling it that?

Even though CryptoWall’s authors are not calling it 4.0, the changes in this new variant are quite noticeable.  From a network traffic standpoint, we don’t see the malware check an external site for the infected host’s IP address.  Other changes are also notable–the notification text has changed, the names of the notification files are different, and the file names of your encrypted files are also encrypted.  This is a significant change in CryptoWall.

Below are the major changes in the newest variant of CryptoWall:

* “4.0” has no more IP address check to ip-addr.es like there was in CryptoWall 3.0.
* Decryption instructions in “4.0” state it’s “CryptoWall” instead of “CryptoWall 3.0”
* CryptoWall 3.0 files for decrypt instructions are named HELP_DECRYPT (.TXT, .PNG, etc.)
* CryptoWall “4.0” files for decrypt instructions are named HELP_YOUR_FILES (.TXT, .PNG, etc.)
* CryptoWall “4.0” also encrypts the file names of the files it encrypts.  CryptoWall 3.0 doesn’t change the file names.