Monday, February 9, 2015

Cryptowall 3.0: Back to the Basics

This post was authored by Andrea Allievi  & Earl Carter

Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was incorporated into this latest variant in the Cryptowall series.

The latest 3.0 sample that we analyzed was in a zip file. This zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary.

Similar to the 2.0 version, the dropper is encrypted with a custom algorithm three times, but that is where the similarities end. In the 3.0 sample that we analyzed, the following dropper features (which we identified as being operational in version 2.0) have been removed:

  • Switching between 32 and 64 bit operation
  • Employing multiple exploits in the dropper
  • Anti-VM check to prevent running in virtual environment

Examining the dropper in the 3.0 sample indicates that it includes a lot of useless API calls and dead code. Apparently the dropper for this version of Cryptowall has been streamlined. The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system. Without privilege escalation, attempting to turn off many enabled security features on the system is likely to fail.

Constructing the Unencrypted Cryptowall Binary

During the first decryption stage, the dropper reads its encrypted code, decrypts and stores it at RVA 0x1B9E0A0 (in the data section). The second stage decryption code begins by locating the byte pattern  (0x35, 0x5e, 0x74) inside its “.data” section. Once this location is identified, it starts decrypting the data following that marker directly onto the stack. Finally, the third stage begins by transferring execution to the unencrypted code that was placed on the stack. During this third stage, the code builds the small IAT (more or less 30 APIs) that is needed to extract and decrypt the BASE64-encoded resource (ID 62) placed inside the “Message Tables” group. The resource is decoded and then decrypted. The decrypted resource is a file that contains the last encryption stage code.

The last stage builds another IAT, cycles between all running processes trying to find out if its own process name is “perl.exe” or “python.exe”. If the check indicates that the parent process name is “perl.exe” or “python.exe”, then the program runs the following endless loop and never runs the Cryptowall 3.0 code.


If the parent process is not “perl.exe” of “python.exe”, the encrypted code inside the resource (that is actual a PE file) is decrypted into an external buffer; a process is created in a suspended state (backed by the original packed executable) and the same trick used in the CryptoWall 2.0 is employed to inject the clean PE inside the suspended process (ZwUnmapViewOfSection / VirtualAllocEx / WriteProcessMemory). Finally the execution control is released to the clean CryptoWall 3.0 Code.

Cryptowall 3.0 Analysis

The CryptoWall 3.0 initialization code is the same as the previous version of the infection: a big IAT is built and the code is injected in a new spawned “explorer.exe”. The code located in the “explorer.exe” process installs Cryptowall 3.0 in the target system in exactly the same manner as the previous version (“Run” / “RunOnce” registry keys and “Startup” start menu folder). Finally all the system protections (and all System volume shadow images) are disabled and the code is injected in a new spawned “svchost.exe” process.


The code injected inside the “Svchost.exe” process implements the main malware functionality. It starts building the large IAT and creating the main event. Cryptowall 3.0 acquires a lot of system information (like the computer name, main processor speed and type, and so on…) and generates a global MD5 used as Victim ID. One of the new feature of CryptoWall 3.0 is the usage of I2P network. The dropper generates its I2P network proxy and Url lists. In the dropper we have analysed, we found the following I2P CryptoWall Urls:


Cryptowall registers the victim workstation to its Command & Control server: a request string is generated in the following format:

{<Request ID>|crypt1|<Victim PC MD5>|<OS Ver Index>..||External Ip Address}

To obtain the external Ip Address, Cryptowall 3.0 uses the same algorithm seen in its previous version. This string is encoded for the I2P network, and it is sent through an I2P Proxy. The included I2P proxy list contains the following addresses:

Here is an example of Cryptowall Command & Control server registration string with a request ID of 1:


The CryptoWall 3.0 dropper tests each Proxy address, searching for the live ones. The connection will be established to the target I2P Url through the chosen proxy. A POST request is made, containing the encoded request string. The Command & Control server answers with a 3 digit ID. The ID is verified, and if all has gone fine, the dropper spawns the Main CryptoWall Thread.


The Main Cryptowall Thread

The main CryptoWall thread initializes the Windows Crypto functions and creates the main registry key: “HKCU\<Victim Pc MD5>”. It tries to acquire the Public key for the later files encryption, using another well-formed Command & Control Message (ID 7):

{7|crypt1|<Victim PC MD5>|1}

The Received public key is verified and imported in the Windows Cryptographic Provider using the “CryptImportPublicKeyInfo” API. The text version of the public key is stored in the registry, by a registry value name generated by a Cryptowall routine, using index 2 (the actual value name is calculated starting from the Victim PC MD5). The hash of the public key is used by the bad guys to generate the “User personal code”.

The hash of the public key is also calculated and used to retrieve the CryptoWall PNG wallpaper, and to compile the “Decrypt Instruction” files. These instructions are based on the geolocation of the hosts IP address. This means that the instructions should hopefully appear in the native language of the user of the computer.

When the PNG Wallpaper has been correctly downloaded, it is stored in the registry value with index 5. Even the decrypt instructions files are generated and saved on disk.

Finally the code cycles between all the mounted volumes (obtained using “GetLogicalDriveStrings” API), and spawn one CryptoWall Encryption thread for each volume that is not an optical drive.


Cryptowall hash -
(sha256: 838e19ff3f52952c292f945054520eb5707c80a389b1f88770b1ccc09f966c65).

Dropper 1 hash -
(sha256: 9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89)

Dropper 2 hash -
(sha256: 55e866cc8580e5f9f7f6560e478f3b37b3362e9f94e88439beef6026c86c80be)

Dropper 3 hash -
(sha256: 45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d)

I2P Proxy Addresses:


The dropper we analyzed is much more streamlined in functionality. Many of the dropper features deployed in Cryptowall 2.0 are no longer present in the 3.0 sample. New functionality has also been added, such as incorporating I2P network communication. Ransomware variants continue to try to improve the stealth of their network communications using networks such as TOR and I2P.

Identifying and stopping ransomware variants definitely requires a layered security approach. Breaking any step in the attack chain will successfully prevent this attack. Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage.

Establishing a solid backup and restore policy is also crucial to overcoming attacks to your data, whether they occur from natural disasters, such as a storm, or whether they occur from a malicious attack across the network.  Many companies believed they had a solid backup plan only to find the malware encrypted the backup to prevent them from restoring any data. It is imperative to adhere to industry wide best practices which include making sure that you backup copies are safe from both physical destruction, as well as corruption from viruses and other malicious software.

Protecting Users from These Threats


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites used in these types of attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

ESA can block spear phishing emails sent by threat actors as part of their campaign.


  1. Excellent analysis guys! keep up the good work.

  2. excelente informacion, muy bien documentada.

  3. so what can be done to remove the infection?

  4. If and Enterprise were to try and block I2p protocal/network, how would that effectively be achomplished?

  5. Hi!
    Thanks everybody for the compliments. This analysis is small because we would like to highlight that the new CryptoWall 3 dropper has lost many interesting features...

    To correctly remove the infection a simple deletion of all CryptoWall entries located in the following places is enough:
    - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    - The executables located in the Startup folder of the start menĂ¹
    - All the CryptoWall 3.0 generated files located in each encrypted folder

    Unfortunately after the infection has encrypted the user files, there is no easy way to decrypt them, because the Private Key is located inside the Bad guys servers.

  6. The I2P proxy on 91.121.12[.]127 was taken down by OVH.

  7. Are there specific names we can look for in those registry entries or file names in the startup folder? Or does it generate a random name?

    I suppose you could create a PowerShell Scheduled Task with a whitelist of names that are allowed to be there. Then anything that pops up could generate an email or alert.

  8. Thats great and all but is there a chance a decryptor would come out? Can I put my hard drive in my safe and wait 10 years?

  9. Yes, that's my question, too! Any hope at all of flaws? Is it still too early or is it hopeless?

  10. Is it reasonable to expect that program for decryption will appear? I'm a patient man...

  11. Nice article Andrea!

  12. Can it be removed from a flash drive? It appears like these bandits infected a flashdrive I was using as well as most of my files on the laptop.

  13. Currently there is no known way to decrypt the files encrypted by Cryptowall. You may notice that there is a tool to decrypt CryptoLocker files. They did not break the decryption on CryptoLocker. When law enforcement took down CryptoLocker, they confiscated the hard drives and amassed a list of potential encryption keys. So in reality, you submit an encrypted file to the decryption tool and it searches through the keys looking for the one that correctly decrypts the file. Without having gained access to the original keys, there would not be a tool to decrypt the CryptoLocker files.

  14. I have worked on this malware a bit. It is true that we cannot decrypt... but there are work arounds to retrieving your files... check out shadow explorer and learn to browse individual system restore checkpoints for unencrypted versions of your files. I have helped a few customers get their files back this way.

  15. Thanks, Graig for explaining this!

  16. you're joking right?

  17. Hello,

    Just wanted to share what worked for me...after removing the virus I found information about a possible far this is working very well. I am able to export earlier "shadow" saved versions of the files that are not encrypted at all!

  18. I have had my NAS and my backups encrypted with Cryptowall 3.0 recently. I have paid the ransom and received the keys. I ran the decrypter and it seemed to be going great but it completed way too quick and when I went to run it again, it just completes and nothing is decrypted. There are 15 years of photos including that of my three children growing up. The computer that was infected has been blown away due to the fact that nothing on it was of any value - everything we value is on the NAS.
    I have tried looking for shadow copies and anything else I can think of. I've just about lost hope. If anyone has any idea how I can decrypt these files, I would be indebted to them.
    ***Just to reiterate - I have the keys and decrypter***

  19. Jack I would like more information on how you did this. I've been infected and have my life on my computer. My email is

  20. In exploring a cryptowall 23 infected PC I found a file that listed every encrypted file. If your mapped drive letter changed this database might be pointing to the wrong drive now that things have changed. The decryption should have been run on the infected machine before any removal action is taken.

  21. I had a friend recover the deleted copies of the encrypted files using a "undelete" tool...the name escapes me. His was a 2.0 infection. I tried using GetDataBack on a 3.0 infection today without much luck. I got some files that had been deleted before the infection but nothing that could be called complete.

  22. One way to try and access the infomation is to run a portable linux os from thumb drive. Its how I repair windows operating systems. its something you can try?

  23. Why are the bad guys always smarter than the good guys?
    Excellent research on how it attacks and how it encrypts but are no good smart guys to come up with some decryption software??

  24. Please sendme the decrypt soft and key. I will try help you.

  25. They aren't, it's just that the bad guys have the element of surprise, you have to know about an infection before it can be noticed and removed. To decrypt the files you normally have to have the key, and each key is unique to the computer that was infected( From what I understand about the infection anyway).

  26. Has anyone paid the ransom and giot the keys and actually got all files back?

  27. Its not that the bad guys are smarter its because people are always whining of things like increased security so Microsoft says OK here is a way to encrypt files on your personal PC using unbreakable encryption, then the bad guys say "Wow really? You practically just dumped that one in our hands", invention Cryptowall is born.

    It will be the same with those new super secure Android phone variants, someone will use the technology in the phone against the user and completely brick it.

    I don't understand why people need to encrypt their files on their PC anyway, seriously your that worried someone will get into your excel sheet of possible cat names? No one cares about your secret chili recipe I swear and everyone looks at porn.

  28. The latest version removes the system restore points and shadow copies so unless you have a backup you're in trouble.

  29. So, I'm running CryptoPrevent but having read this I'm wondering -- given that it's possible to derive the Victime ID/registry key that CryptoWall3 would use, is it possible to create a dummy registry key and make it immutable to prevent infection? i.e. would the installation terminate before encryption if unable to create or modify the registy key?

    Or else, is it prudent/possible to monitor the registry for changes and force shutdown if the telltale registry key appears and/or is changed from dummy values?

  30. How are you doing?
    I have a decryptor that works fine, you can select folders to decrypt yourself.
    If you have your public/private keypair this one should do it.
    if you give me your email, I can try to help you out.

  31. We have had to deal with this several times with our clients, four to be exact. Each time, the computer that got hit had critical data that was stored locally. We paid the ransom and received the key that decrypted all the files.

  32. How long before they gave access to the decyrptor?

  33. Where are these bastards physically located?

  34. If I have the 2048-bit private key (paid to get it), is there a way to decrypt the files using windows' own or another trusted encryption/decryption tool? Ideally I'd like a powershell script I can point at the privatekey, a manafest of encrypted files, and let it call windows' own CryptUnprotectData() to decrypt and replace the encrypted file (or create a clean copy). Please help with suggetions if I already have the private key -Thanks

  35. Hi there. Reading this with interest as we had Cryptowall 3 last week, paid ransom and decrypt key hasn't worked. Any ideas or help gratefully received.


  36. Hi there. We have been hit by the Cryptowall virus. Decrypt key didn't work for us. Any ideas most gratefully received.

    Many thanks


  37. I was infected by CryptoWall 2.0 last year on my office laptop. Luckily, our network was not infected at the time. I paid the ransom and was able to retrieve 99% of my files with the exception of a few Outlook .pst files. I now pay Backblaze annually to run a continuous backup of everything on my hard drive that is personal in nature. This gives me great piece of mind. Little did I know that although my files were restored, the date and time stamp information that tells me when the files were created or last modified was lost after decryption. The bad guys don't tell you this. So, my ability to sort and find files based on date and time is no longer an option with the retired files. Having daily back-ups is the way to go. Fast forward 1 year and someone within our company notice today that CryptoWall 3.0 had found it's way to our network server. Luckily, our IT guys complete daily back-ups that are not infected. The cost of lost productivity across the globe due to this virus is immeasurable.

  38. hello friends

    I've been trying to find the file, which contains the Decrypt.exe and keys.

    Any attempt to find a solution could come to investigate these files, 03 files statistically would be needed.

    I request your files having send it to me at my e indicating if cryptowall 1,2 or 3.

    Should you find any solution no doubt that the'll do arrive.
    thanks for the help

  39. The Cryptowall 3.0 versions that I've seen so far (newest being from early March) can't deleted System Restore points if UAC is enabled at any level.

    Can anyone actually confirm that the newest versions will delete the SR points even if UAC is in place?

  40. Just reinstalled OS for one of my friends. PC was infected with Cryptowall 3.0. Installed brand new HDD and 2 days later he is telling me that he gets the same message pop up on his screen to decrypt. I just wonder, Is it possible to get virus back without user interaction with firewall and updated antivirus installed? Thank you.

  41. Hello my computer has been infected with Cryptowall 3.0 and I would like to know if somebody knows how to descrypt files. I also speaks Spanish and French. Thank you very much for your help.

  42. Is there a way to recover the files? I dont have any backups or restore option for files enabled.
    Please help!!

  43. Hi guys, I got infected 3 weeks back and I have decided to pay the ransom now. I was not able to open the one file that they have decrypted for free. Still I am trying my last chance by paying the ransom. Can anybody confirm if the payment works or not?


Post a Comment

Note: Only a member of this blog may post a comment.