CryptoWall 5.1 Uses AES-256 and Is Based on HiddenTear Ransomware

RansomwareA new version of CryptoWall, CryptoWall 5.1, appears to have landed on the malware scene, currently infecting Italian-speaking users. However, the truth may be slightly different – it’s more likely the ransomware authors have chosen to use the name of CryptoWall in order to scare users even more into paying the ransom.

Nonetheless, the criminals appear to have borrowed some details from the original CryptoWall, like the encryptor.

Other parts of the so-called “CryptoWall 5.1” appear to be based on HiddenTear. The ransomware appends the “.locked” extension to the victim’s files and demands 250 euro in exchange for their decryption. Paying ransomware operators is not a good idea as there is no guarantee your files will be actually decrypted. Continue reading to learn more.

The Technical Side of “CryptoWall 5.1”

What is the encryption algorithm employed by the so-called CryptoWall 5.1? Why is the ransomware called “CryptoWall 5.1” if it’s only using this name to intimidate users? We will answer these questions.

First, AES-256 is the encryption algorithm used by this crypto malware. This is quite a strong cipher employed by other ransomware pieces as well.

Security researchers dubbed the ransomware “CryptoWall 5.1” because of the email address provided by cyber criminals in the ransom note. This is what the ransom note reads:

Your computer is infected with cryptolocker
Cryptolocker is a malware belonging to the family of Ransomware.
This virus can encrypt the victim’s files with asymmetric algorithms
Wikipedia: https://it.wikipedia.org/wiki/CryptoLocker
How do I restore my files?
Your documents, photos, data and other important files (including USB, hard drives, network locations, etc.) have been encrypted with an asymmetric algorithm to two keys, public and private.
All files mentioned above having the .locked extension have been blocked; you need to unlock the private key.
How do I get the private key?
While the public key и been saved in a directory of your computer system, the private и been sent to our server, to get it you have to pay the amount of 250 €.
As soon as the amount is credited with one of the payment methods, you will receive by mail the private key, and regain access to your data.
Otherwise, at the end of 48h provided for the payment of the ransom, the private key will be deleted and it will no longer be possible to recover files.
CAUTION: Removing cryptolocker will not restore access to encrypted files.
Contaсt: cryptowall51@sigaint.org

As visible, the ransomware also uses Cryptolocker as a mean to panic its victims. Both Cryptolocker and CryptoWall have turned into a synonym to ransomware. Both crypto viruses have generated millions of dollars from victim payments. The ransomware business seems to proliferate and that’s why victims shouldn’t pay. By paying, they only support the cyber criminals’ cause.

This crypto ransomware encrypts user data using AES- 256 , and then demands a ransom of 250 euros to return the files back .

The name given to the developers , apparently to intimidate their victims known extortionist CryptoWall. In fact, this crypto – extortionist is based on crypto – constructor HiddenTear. By the encrypted files is added to the expansion .locked.

How Is CryptoWall 5.1 Being Spread?

Ransomware often employs aggressive spam and phishing campaigns in order to affect as many users as possible over a short time. Such emails usually contain luring subject lines that trick users into opening the email. Users should note that an infection may be triggered just by opening the email. Sometimes no further interaction is needed. In other cases, the email body contains a malicious attachment or URL that may redirect the user to an exploit kit.

Under no circumstances should users interact with unexpected emails that appear to be sent by an official entity.

It’s in fact cyber criminals trying to get to you!