Skip to content ↓ | Skip to navigation ↓

The latest strain of ransomware has arrived. It has been named CryptoWall 4.0, and it is as ugly and insidious as the previous versions.

It should be noted that while this appears to be the fourth version of this malware, this does not indicate that it was upgraded by the same authors of any previous versions. In the history of virus coding, as each version of the original code is revealed, new independent authors add on to the earlier versions.

The good folks who analyze malware have the honor of naming new viruses, or incrementing the version numbers of those that are similar to earlier variants.

As with any software development life cycle, enhancements are added to evade the preventive updates offered by anti-virus vendors.

Now, however, some of the enhancements to malware are added to allow for granular control of the payment (in increments of Bitcoin based on current market value), as well as new ways to obfuscate the files, even though they are encrypted.

In the analysis of this new version of ransomware, the enhancements seem somewhat puzzling.

First is the hubristic congratulatory message that is displayed on the victim’s screen:

CryptoWall 4.0 Has Arrived – Now with Canary File Notification


The other enhancement is that the new CryptoWall encrypts the data and also encrypts the filenames. This is a nefarious development, but it can also serve as an early warning system of sorts, allowing you to stop the encryption process before it encrypts everything on your computer.

Prior to this new enhancement to CryptoWall, file names were left intact, so the only way you would notice the problem was when you attempted to open a file.

An encrypted file would fail to open, and the error message would not be helpful, usually only stating that there was a problem with the file. Most victims would continue to click the file; meanwhile, the encryption process would proceed across all the drives connected to the machine.

Now, with the new filename encryption feature, the instant you see files changing names in your folders or on your desktop, you can pull the plug on the machine to stop the encryption process. (Yes, this is one of those times where you should just cut the power, as waiting for your machine to gracefully shut down only gives the process more time to do more damage.)

The filename encryption can act as a canary warning, alerting you that something is wrong in advance of complete damage. You may not always be watching your file folders, but if your timing is right, you may be able to pre-empt the process.

This new CryptoWall is so similar to its earlier cousins that all existing protection products will most certainly detect it.

Products such as those from, MalwareBytes and can protect your machine from ransomware, and they are priced well below the cost of recovering your encrypted files. Paying for these legitimate protections also prevents you from paying ransom to a criminal enterprise.

Please note that once you shut down a ransomware infected machine, do not turn it back on. You must enlist the help of someone who can restore your data from a backup without booting the operating system that hosts the malware.

You do have a backup of your data, don’t you?


bob covelloAbout the Author: Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock