Cryptowall 3.0 was reported in January 2015. It was primarily known to be distributed from Magnitude and Fiesta exploit kits.

The ransomware drops the instructions to decrypt and a warning in the following files as ransom notes:

• HELP_DECRYPT.HTML
• HELP_DECRYPT.TXT
• HELP_DECRYPT.PNG
• HELP_DECRYPT.URL

CryptoWall 3.0 targets 312 file extensions.

It utilized an RSA 2048 bit public key, which was downloaded from the CnC domain, and encryption with AES 256 in CBC mode, which made encryption stronger and flawless, which was in turn hard to decrypt without the private key.

After successful encryption, the ransom note page appears. It contains URLs to the victim's personal page. The URL provided is accessible only from a TOR browser.

 Cryptowall 3.0 was the first one to use I2P (Invisible Internet Project). I2P was invented mainly for malicious purposes. I2P was known to be used in combination with TOR. The I2P connection was used for C&C communication and payment made through TOR. This is probably for decentralization and anonymity. Payment could still be made if any of the payment servers are down, in an anonymous way.

CryptoLocker 3.0 introduced a CAPTCHA page before redirecting to the final page where the victim can make payment and retrieve the decryption keys. This is to avoid sandboxes or other malware analysis systems:

After the CAPTCHA page, the victim is directed to the page that has the instructions to make payment and decode the files:

CryptoLocker 3 .0 charges as per geolocation. It charges $700 for the US and $500 for other countries.