The CryptoWall ransomware has been updated to make it increasingly difficult for users to recover encrypted data.
The latest version of CryptoWall, version 4.0, will now alter the file names of data that it has encrypted to prevent victims from determining exactly what has been affected by the program. In addition, ransomware will now delete all system restore points upon its installation in an effort to ensure that data remains unrecoverable. If infected, the app will be accompanied by a message to victims, shown in the screenshot posted above, which states that they will be unable to recover their data unless they pay the ransom, and that any other attempt to recover data may result in irreversible loss.
CryptoWall traditionally infects systems through drive-by attacks and malicious attachments included within spam e-mails. According to Andra Zaharia of Heimdall Security, CryptoWall 4.0, like its predecessors, "includes advanced malware dropper mechanisms to avoid antivirus detection," but the latest version also introduces "a modified protocol that enables it to avoid being detected."
While it may be tempting for victims of ransomware to pay the ransom(the FBI has previously suggested that victims should do so), data recovery is not guaranteed. Moreover, an attempt to pay the ransom may facilitate the distribution of CryptoWall to other systems unaffected by the program.
In June 2015, the FBI regarded CryptoWall as "the most current and significant threat targeting U.S. individuals and businesses" and reported that victims' losses had totaled over $18 million USD. In October, the Cyber Threat Alliance estimated that the attackers behind the ransomware have amassed more than $325 million USD from victims.