{"id":894,"date":"2015-07-11T20:27:16","date_gmt":"2015-07-12T00:27:16","guid":{"rendered":"http:\/\/www.ccrepairservices.com\/blog\/?p=894"},"modified":"2015-07-16T16:35:35","modified_gmt":"2015-07-16T20:35:35","slug":"cryptowall-3-0-is-back-and-rapidly-spreading-ransome-virus-malware-spyware-spam-email","status":"publish","type":"post","link":"https:\/\/www.ccrepairservices.com\/blog\/computer-news\/cryptowall-3-0-is-back-and-rapidly-spreading-ransome-virus-malware-spyware-spam-email\/","title":{"rendered":"Cryptowall 3.0 is back and rapidly spreading &#8211; Ransom Virus Malware Spyware Spam Email"},"content":{"rendered":"<figure  class=\"wp-caption aligncenter\"  ><img loading=\"lazy\" decoding=\"async\" class=\"\" src=\"https:\/\/trtpost-wpengine.netdna-ssl.com\/files\/2015\/05\/angler_additions.jpg\" alt=\"Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Recovery and Decrypter\" width=\"680\" height=\"400\" \/><figcaption  class=\"wp-caption-text\">Cryptowall 3.0 Spreading again Removal DecrypterCryptowall 3.0 Rapidly Spreading again Removal Repair Ransom Recovery and Decrypter CALL 754-234-5598<\/figcaption><\/figure>\n<p><span style=\"color: #00ff00;\">Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm\u2019s way.<\/span><\/p>\n<p><span style=\"color: #ff0000;\">A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both.<\/span><br \/>\n<span style=\"color: #ffffff;\">Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.<\/span><\/p>\n<p><span style=\"color: #ffffff;\">As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.<\/span><\/p>\n<blockquote><p>At this point, I\u2019m not 100 percent certain it\u2019s the same actor behind all this Cryptowall 3.0 we\u2019ve been seeing lately,\u201d Duncan wrote on the SANS ISC website. \u201cHowever, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.<\/p><\/blockquote>\n<p>Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.<\/p>\n<p>\u201cWe\u2019re seeing a lot more samples of CryptoWall 3.0 in the spam\/EK traffic now than before, so maybe the increased exposure might help infect more computers,\u201d Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.<\/p>\n<p>Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.<\/p>\n<p>The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.<\/p>\n<blockquote><p>Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,\u201d Duncan wrote. \u201cThe return traffic is gzip compressed, so you won\u2019t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.<\/p><\/blockquote>\n<p>Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.<\/p>\n<p>Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.<\/p>\n<blockquote><p>\u201cThere are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,\u201d Duncan said. \u201cI\u2019m not sure on this one. It\u2019s just my gut feeling, which could be wrong.\u201d<\/p><\/blockquote>\n<p>Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.<\/p>\n<p>\u201cThe significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,\u201d Duncan said. \u201cThe actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.\u201d<\/p>\n<h2 style=\"text-align: center;\"><a href=\"https:\/\/www.CCREPAIRSERVICES.COM\">www.CCREPAIRSERVICES.COM<\/a><\/h2>\n<h1 style=\"text-align: center;\">Local and Online PC Computer Repair Tel. 754-234-5598<\/h1>\n<h2 style=\"text-align: center;\"><span style=\"color: #00ff00;\"><span style=\"text-decoration: underline;\">FAST SAME DAY<\/span> <span style=\"color: #ff9900;\">COMPUTER REPAIR, VIRUS REMOVAL, CRYTOWALL FILE RECOVERY AND LAPTOP SCREEN REPAIR SERVICE<\/span><\/span><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm\u2019s way. A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits. As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously. At [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[1323,1322,1324,168,1308,337,833,1313,1303,1304,1314,1306,1301,1317,1316,1302,1305,32,1318,1311,416,167,156,33,1086,1309,362,330,1320,1307,392,1312,158,1319,170,1315,475,1310,152,1321,7],"class_list":["post-894","post","type-post","status-publish","format-standard","hentry","category-computer-news","category-virus-and-malware-threats","tag-2-0","tag-3-0","tag-4-0","tag-apple","tag-bitcoin","tag-boca-raton","tag-cryptowall","tag-cryptowall-file-recovery","tag-cryptowall-help","tag-cryptowall-recovery","tag-cryptowall-removal","tag-data-recovery","tag-decrypter","tag-emergency","tag-fast","tag-file-decrypter","tag-file-recovery","tag-fort-lauderdale","tag-how-to","tag-internet","tag-local","tag-mac","tag-malware","tag-miami","tag-new","tag-on-line","tag-online","tag-pc","tag-ransom","tag-ransome","tag-recovery","tag-recovery-of-files","tag-removal","tag-remove","tag-repair","tag-same-day","tag-service","tag-spam","tag-spyware","tag-varient","tag-virus"],"_links":{"self":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/comments?post=894"}],"version-history":[{"count":7,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/894\/revisions"}],"predecessor-version":[{"id":901,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/894\/revisions\/901"}],"wp:attachment":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/media?parent=894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/categories?post=894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/tags?post=894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}