"It seems communication with the C&C (command and control) are Rc4 encoded -- the key seems to be alphanumeric sorted path of the POST -- and using I2P protocol," Kafeine wrote in a blog post. "So they are sadly back and we can expect a lot of them in [developing] exploit kits, spam, and botnets."
Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware last year, we saw more subtle in design, including "Cryptolocker" that was taken down along with the "Gameover ZeuS" botnet last June. As a result, another improved ransomware packages have sprung up to replace it — CryptoWall.
Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim's computer system or encrypt the documents and files on it, in order to extort money from the victims. Since last year, criminals have generated an estimated US$1 million profits.
Now, the infamous Cryptowall ransomware is back with the newest and improved version of the file-encrypting ransomware program, which has been spotted compromising victims by researchers early this week, security researchers warned.
The new version, dubbed Cryptowall 3.0 (or Crowti), uses Tor and I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers keeping it away from researchers and law enforcement officials.
The most notable use of the little-known "I2P" anonymous network is the re-emerged Silk Road Reloaded, the new version of the notorious online black marketplace that operated on a Tor hidden service before it was splattered by law enforcement.
French researcher Kafeine (Kafeine's blog) confirmed the use of I2P for command and control communication, while Microsoft reported that links to decryption instructions page are still done over Tor network. Horgh (@Horgh_RCE) have released a technical analysis on the malware identified by Microsoft late last year to be on the rise.
Typically, CryptoWall encrypts the victims' files with a strong RSA 2048 encryption algorithm until the victim pays a ransom fee to get them decrypted. It demanded victims pay the equivalent of US$500 in Bitcoin virtual currency in order to receive the decryption key that allows them to recover their files.
The ransomware program provides users with links to several sites that act as Tor gateways that automatically connect user's browser to the CryptoWall decryption service hosted on the Tor network. However, with CryptoWall 3.0, the user's traffic is also passed through another anonymity network called I2P.