Cryptowall has gotten a minor, but important facelift that might make it more difficult for researchers to tear apart and for victims to recover their encrypted data without paying a ransom.
Spotted two days ago, the latest update to the ransomware has begun not only encrypting data on victims’ machines, but also file names, a first according to independent researcher Nathan Scott, who examined the code along with researchers from Bleeping Computer.
“I’m surprised more don’t it; this makes it significantly harder to recover files except for paying the ransom,” Scott said. “If you try to do a forensic data recovery, the files show up with these weird names and the user doesn’t know what file is what. No one knows any structure in files any more.
“The only way to regain your data is a complete backup,” Scott said. “If you don’t backup, the only way to get the data back is to pay the ransom.”
The attackers behind Cryptowall have also updated the ransom note that victims are presented with. The note contains new mocking language, congratulating the victim for becoming part of the Cryptowall community, and the attackers have also assigned themselves a hashtag #CryptowallProject. The use of the hashtag, Scott speculates, is that victims may use it to commiserate on social media and if there is any kind of volume, it may lead them toward paying the ransom that much quicker.