Cryptowall 2.0


A new version of the CryptoWall ransomware has been released titled CryptoWall 2.0 that includes numerous "enhancements" by the malware developer that resolve issues in the previous version. CryptoWall has been a huge threat for computer users and network administrators since it has been released as it will encrypt all local data and data found on network shares. 


CryptoWall 2.0 now includes changes that make it better for the malware developer and harder for a victim to recover their files for free. These changes include unique wallet IDs to send ransom payments, secure deletion of original unencrypted files, and the use of their own TOR gateway. These changes are further discussed below.


A change that will benefit victims who wish to pay the ransom are the addition of unique bitcoin payment addresses for each  victim. The original version of CryptoWall did not create a unique bitcoin payment address for each victim. This made it possible for people to steal other victim's payment transactions and apply them towards their own ransom. With unique payment addresses for all victims this is no longer possible. There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC or files again.


Another change is that CryptoWall will now securely delete your original data files. Originally, CryptoWall would encrypt your data files and then just delete the original. It would then be possible to use data recovery tools to try and recover your data. Now that CryptoWall is securely deleting your data, this method will no longer work and you will need to restore from backups or pay the ransom.


The last change is that CryptoWall 2.0 now uses its own TOR gateways. CryptoWall's ransom payment servers are located on TOR , which allows the malware developers to stay hidden from the authorities. In order to connect to the server you would need access to the TOR network and for most people installing TOR was a confusing and difficult process. To solve this,  CryptoWall used a Web-to-TOR gateway that would allow victims to easily access the payment server. When the Web-to-TOR gateway providers discovered that CryptoWall was using their gateways they started to blacklist their payment servers so that they could not be reached. Now that CryptoWall 2.0 uses its own TOR gateway servers they do not have to worry about being blacklisted. The current Web-to-TOR gateways operated by the CryptoWall developers are,,, and


The majority of the attacks have come through e-mails with executable attachments, sometimes contained in .zip files. Most of the e-mail attacks used fake invoice, fax and voicemail themes with attachments.




If you are having computer problems (desktop and laptop) or network issues (wired and wireless) PC Solution offers computer repair services, network troubleshooting, IT tech support and consulting in: McAllen, Mission, Edinburg, Pharr, Hidalgo, Rio Grande, Penitas, Sullivan, San Juan, Alton, Palmview, Palmhurst, Weslaco, Donna - Texas.



Find Us on Facebook

Facebook Image

Carbonite Silver Partner