CryptoLocker and its different variants together paved the way for another ransomware family called CryptoWall to emerge, with improved encryption flaws strong enough to demand ransom from the victim. Cryptowall was also known as Crowti. Peculiarly, it will not infect machines in Russia, Kazakhstan, Belarus, and Ukraine. Cryptowall started at the end of 2013 and its user interface was quite similar to CryptoLocker. It looked as if Cryptowall followed a proper software development life cycle. Their versions were given version numbers, unlike other malware families. Cryptowall can hide on the victim machine by injecting itself into a legitimate Windows process such as svchost. Persistence mechanisms include creating a run entry in the registry. Many versions of Cryptowall include self-protection mechanisms such as identifying whether it is executed in a malware analysis environment or sandboxes.

Cryptowall extended its list to encrypt these file extensions:

The file extension list increases with the increase in Cryptowall versions. The encryption technique may be a bit similar to Cryptowall. Cryptowall versions may also use TOR and I2P (section 2. Ransomware payment modes in Chapter 5, Ransomware Economics, talks about the TOR and I2P networks) to keep their network communication hidden.

Unpacked Cryptowall, or virtual memory of Cryptowall, usually has the names of ransom note files:

Various versions of Cryptowall can have anti-VM techniques,anti-analysis techniques, and related strings can be visible.

The ransom notes for Cryptowall usually look like the following:

The ransom note contains a URL that is named as your personal page. The victim has to make payment through this page.

With the newer versions of Cryptowall, the name in the notes are changed to Cryptowall 2.0, Cryptowall 3.0, and so on. Cryptowall versions were known to be distributed by exploit kits and some through spams too.

https://www.cryptowalltracker.org/ is a famous site that has tracked all Cryptowall versions. We will talk about some important features in the various Cryptowall versions.