It is being distributed in the usual manner, via an email with an attachment that contains embedded code. Once opened, the malware immediately infiltrates designated files and in this release they have included not only encrypting the data files but alter the names of the files. Using this method, a user is not only locked out of their files, but does not have the ability to locate them. The additional change in this release is that they make changes to the ‘restore points’ on the machine, which reduces the chances of recovery.
Once the ransomware is launched, the user will receive the typical ‘announcement screen’, but in this case, the designers made the decision to sound insulting in their message. In a mocking tone, the user will read:
“Congratulations! You have become a part of large community CryptoWall!” as well as “the instructions that you find in folders with encrypted files are not viruses; they are your helpers.” In a final insult, they also include: “In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned.”
The designers even mock the user with the file names that they have altered, including:
The approach in the announcement is specifically intended to hit an emotional pain point. Once a user has discovered the infection and attempted any due diligence in research, they will discover that Cryptowall 4.0 includes better communication methods and enhances cloaking segments. This means that it was overall, a lot more difficult to protect against. The usual method of payment demands is included in the screen, complete with instructions for Bitcoin payment.
Global professionals have examined the business model that the designers of the Cryptowall family use and have realized that the cybercriminals have actually formatted the malware in the same method as an actual software company. Once payment is made they seem to comply with the encryption key to release the system lockdown. By following up with their promise it allows the knowledge that payment will bring back the system and thereby give a continued revenue stream from other computer systems and networks that are attacked.