The State of CryptoWall in 2018

The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back, writes Jeff Petters.

CryptoWall and its variants are still favorite toys of the cybercriminals that want your Bitcoin. In fact, according to the 2018 Verizon Data Breach Investigation Report, ransomware incidents now make up about 40% of all reported malware incidents! Some reports say CryptoWall 3.0 has caused over 325 million dollars in damages since it first came on the scene.

CryptoWall first appeared in the wild around 2014: since then, cybercriminals have updated and iterated on it several times to make it even harder to detect and remove.

The CryptoWall virus is cheap and easy to use, spreads fast, and people continue to pay the ransom hoping to get their files back. (Tl;dr: Don’t.) It’s important to maintain constant vigilance to protect data from the CryptoWall virus and all its variants – along with all types of cyberattacks.

What is CryptoWall?

CryptoWall is a particularly nasty form of ransomware. It does much more than just encrypt your files and prompt you to pay for the key: it tries to hide inside the OS and adds itself to the Startup folder. Worse still, CryptoWall deletes volume shadow copies of your files – making it difficult (or in some cases impossible) to restore your data. And while it’s there, it’ll try to get your passwords and Bitcoin wallets for good measure.

CryptoWall 3.0 is by far the most lucrative version so far. It uses strong RSA2048 encryption to lock your files and try to get you to pay the ransom.

CryptoWall v4 introduced a new feature to encrypt both the files and the filenames, meaning that you can’t simply look at the filename to check (and restore) if you have a backup. The ransom notes got a lot sassier as well, just to pour salt on the wound of your encrypted data.

CryptoWall v5.1 is the latest version based on the HiddenTear malware. It uses a different AES-256 encryption, which doesn’t follow with the previous versions. It’s possible that the developers used the CryptoWall name, but not any of the original code.

There are several variants of CryptoWall: CryptoDefense is one of those variants, for example. For the most part, you can treat them similarly.

Continue reading this post on the Varonis blog

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter