New
#11
Update:
The CryptoWall v4 is sneaky now, in that, after deleting the original file, it puts the new, encrypted file in the exact sector where the original was deleted. This makes it very difficult to recover the original deleted file.
Interestingly, there appear to be certain regions where it does not wish to attack, and if it detects these languages, it will not infect the computer: Russian, Kazakh, Ukrainian, Uzbek, Belarusian, Azeri, Armenian, Kyrgyz, Georgian.
It is also using drive-by-download techniques and the Angler Exploit Kit, which means that you can be infected simply by visiting an infected website; malicious code is executed via hidden iFrame(s) after identifying unpatched programs/browsers/add-ons, and injected into svchost.exe, bypassing the UAC when deleting all Shadow Copies if you are using an account with administrative privileges, and thus tricking many AVs in the process.
ref: Security Alert: Angler Exploit Kit Spreads CryptoWall 4.0 via New Drive-By Campaign - Heimdal Security Blog
ref: Cisco Talos Blog: Threat Spotlight: CryptoWall 4 - The Evolution Continues
Quote
