Is Cryptowall a ransomware variant?

In the opening paragraph, we will provide a quick answer to the main question – yes, Cryptowall is considered a variant of ransomware. Ransomware is a type of malicious software that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. Cryptowall emerged in 2014 as a major ransomware threat and is considered one of the first ransomware variants to use strong encryption methods to lock files.

What is ransomware?

Ransomware is a form of malware that employs encryption to hold a victim’s information at ransom. A user’s data is encrypted so that they cannot access files, databases, or applications. The attackers then demand ransom money in cryptocurrency, such as Bitcoin, in exchange for the decryption key. Ransomware attacks have been rapidly growing since around 2012, with instances of ransomware increasing by around 15 times between 2014 and 2017. Some of the most common ransomware variants include CryptoLocker, CryptoWall, Locky, SamSam and Ryuk.

What are some key features of ransomware?

There are a few key features that define the behavior of ransomware:

  • Encryption of files – Ransomware uses encryption algorithms to encrypt a victim’s files, making them inaccessible.
  • Ransom demand – After encrypting files, ransomware displays a ransom note demanding payment, usually in a cryptocurrency like Bitcoin.
  • Time limit – Ransom notes often threaten permanent file loss if payment is not received within a designated timeframe.
  • Anonymous payment – Cryptocurrency addresses are provided for anonymous ransom payments that are difficult to trace.
  • Malware distribution – Ransomware is distributed through various malware attacks like infected email attachments, compromised websites, and software vulnerabilities.

When did Cryptowall first appear?

The first version of Cryptowall ransomware was observed in early 2014. It was initially distributed via exploit kits and phishing emails. The malware was called Cryptowall because it utilized encryption algorithms to encode files and demand ransom money in Bitcoin cryptocurrency. Cryptowall 1.0 contained many similarities to the earlier CryptoLocker ransomware that emerged in 2013.

How did Cryptowall ransomware infect systems?

The initial version of Cryptowall ransomware relied on exploit kits and phishing emails for distribution. Some of the key infection vectors included:

  • Infected email attachments masquerading as invoices, delivery notices, or other files.
  • Malicious attachments with double file extensions like .pdf.exe or .jpg.exe to trick users.
  • Exploit kits hosted on compromised websites that targeted browser vulnerabilities.
  • Fake software downloads bundled with the ransomware payload.

Once installed on a system, Cryptowall would encrypt files using RSA-2048 and AES encryption algorithms. It targeted files like documents, photos, videos, and databases for encryption. A ransom note in the form of README_FOR_DECRYPT.txt, README_FOR_DECRYPT.url or README_FOR_DECRYPT.bmp was dropped on the infected system with payment instructions.

What file extensions did Cryptowall target?

The early versions of Cryptowall ransomware targeted several hundred different file types for encryption. Some of the common file extensions targeted included:

.doc .docx .xls .xlsx
.ppt .pptx .pst .ost
.jpg .jpeg .txt .cs
.php .asp .htm .xml
.psd .dwg .dxg .sxi

This included Microsoft Office files, images, databases, emails, source code files, and Adobe files among many others. The malware recursively encrypted files across local drives and mounted network shares.

How much ransom did Cryptowall demand?

The initial variants of Cryptowall demanded relatively low ransom amounts between $100-$500 to be paid within 4-72 hours. For example, Cryptowall 1.0 demanded $500 in Bitcoin to provide the decryption key.

Later versions of Cryptowall increased the ransom demands significantly as the operators realized they could extort higher amounts. In 2015, Cryptowall 3.0 demanded ransoms of $500 initially, increasing to $10,000 if not paid within a week.

How did Cryptowall encrypt files?

Cryptowall used a combination of RSA and AES encryption to lock files:

  • RSA-2048 public-key encryption was used to generate a unique RSA keypair for each infected host.
  • The RSA private key was encrypted with a unique AES-256 key and then exfiltrated to the attacker’s server.
  • The AES key was then used with AES-256 algorithm to encrypt files on the host.
  • A separate RSA-2048 public key was used to encrypt and transmit the AES key to the attacker’s server.

This complex process made decryption without the attacker’s private RSA key mathematically infeasible. Each infected host had a different RSA keypair and AES key, preventing decryption via a single master key.

How did Cryptowall change over time?

Cryptowall evolved significantly over various versions to improve its efficacy and evade detection. Some of the major enhancements included:

  • Cryptowall 2.0 in 2014 – Added TOR implementation for command and control.
  • Cryptowall 3.0 in 2015 – Switched from TOR to I2P for anonymity, dynamic ransom amounts.
  • Cryptowall 4.0 in 2016 – Expanded file targeting from 300+ to over 1000+ extensions.
  • Cryptowall 5.0 in 2016 – Anti-analysis techniques, enhanced I2P command and control.

Later Cryptowall versions also focused on targeting servers and NAS devices for larger ransom payouts. The operators expanded their distribution method to include exploit kits, remote desktop access, and SMB vulnerabilities.

What was the impact of Cryptowall?

Cryptowall became one of the most destructive and lucrative ransomware strains:

  • The FBI estimated losses of over $18 million from April 2014 to June 2015 from Cryptowall 3.0 alone.
  • Researchers estimated global losses between $325 million to $1.6 billion from 2015 to 2017 across all Cryptowall versions.
  • Upwards of 650,000 systems were infected globally based on Bitcoin wallet addresses.
  • Companies paid over $10,000 on average to recover from Cryptowall infections.

Cryptowall infections were particularly devastating for small businesses, with 60% unable to recover after paying the ransom. The operators raked in large profits, estimated between $300,000 to $1 million weekly.

How was Cryptowall distributed globally?

Cryptowall heavily leveraged the massive Cutwail botnet for global distribution. Cutwail infected over 3.5 million machines at its peak. Other tactics included:

  • Malvertising campaigns via compromised ad networks
  • Spamming malicious email attachments
  • Leveraging downloader Trojans like Upatre or Zbot
  • Posting links on high traffic forums
  • Bundling with fake software installers

These tactics allowed Cryptowall variants to spread rapidly across the United States, Canada, Australia, Europe, and Japan infecting hundreds of thousands of systems.

What are some notable Cryptowall attacks?

Some major organizations impacted by significant Cryptowall attacks include:

  • Hollywood Presbyterian Medical Center – Paid $17,000 ransom in Feb 2016.
  • University of Calgary – Paid $20,000 ransom in May 2016.
  • Kansas Heart Hospital – Paid $17,000 ransom in May 2016.
  • Kentucky Transportation Cabinet – System outage from infection in Apr 2016.
  • New Jersey Spine Center – Attack in Mar 2016 disrupted operations.

Many other businesses and government agencies faced six figure losses and significant downtime. This demonstrated how a single lapse in security could enable crippling Cryptowall intrusions.

What tactics were used to spread Cryptowall?

The cybercriminals behind Cryptowall used various clever tactics to spread infections, including:

  • Spamming emails containing malicious Office documents or PDFs as attachments
  • Using social engineering lures in emails like fake payment notices or shipping notices
  • Leveraging macro code inside Office files to download payload
  • Embedding payload inside right-to-left override HTML tags in spam emails
  • Using sophisticated crypters and packers to obfuscate payloads
  • Compromising servers to inject iframe redirects into websites

These techniques enabled the malware to bypass many email and web security layers. Users were tricked into enabling macros or downloading embedded executables or scripts, resulting in infection.

What prevention best practices help against Cryptowall?

Cryptowall demonstrated the need for a layered defense to prevent, detect, and respond to ransomware. Some key best practices include:

  • Training employees to identify social engineering and phishing emails
  • Keeping software patched and updated to close vulnerabilities
  • Using least privilege and strict file permissions
  • Deploying endpoint protection with behavior monitoring
  • Using email security and web filtering solutions
  • Regularly backing up critical data offline
  • Segmenting networks and disabling SMBv1

These measures limit the attack surface and offer multiple opportunities to stop ransomware before it can inflict major damage.

How did Cryptowall 5.0 enhance evasion?

Cryptowall 5.0, first observed in Feb 2016, incorporated several advanced features for evasion:

  • Removed use of Command and Control servers for more stealth
  • Implemented various anti-analysis techniques
  • Used powerful packers like Themida to avoid detection
  • Disabled Windows Event Logging service
  • Overloaded and dissected strings to deter analysis
  • Encrypted web traffic via I2P network

These made traditional signature-based detection ineffective. Behavior analysis and machine learning became necessary to recognize the ransomware activity.


In summary, Cryptowall was one of the most sophisticated and profitable ransomware strains when it first appeared. Its use of strong RSA and AES encryption made it functionally near-impossible to decrypt files without the private key. While newer ransomware families have since emerged, Cryptowall demonstrated the highly lucrative criminal business model of extorting organizations through ransomware.

Defending against Cryptowall requires a proactive security posture with layered defenses across email, endpoints, web traffic, backups, and user training. Cryptowall operators relied on a variety of clever social engineering and distribution tactics to infiltrate networks. To guard against future ransomware attacks, organizations should ensure robust security policies, software updates, user education, and backup processes are in place.