There is a new version of CryptoWall out in the wild that I have dubbed "Version 2.1" because it has some powerful new features. Researchers at Cisco's Talos group published an analysis that goes into great detail.
The most important thing is that the ransomware is now able to run both 64 bit code directly from its 32 bit install procedure. This means it can now infect both computers that run newer 64-bit Intel and AMD64 Windows systems.
Next, and here is where it becomes interesting, well-known security researcher Pierluigi Paganini from the Security Affairs blog mentioned that CryptoWall 2.1 is able to infect both Windows are 64-bit operating systems and also the newer versions of Mac OS X. This was not mentioned in the Talos group report and I would like to see that confirmed somehow. But if this turns out to be true, we have the first true multi-platform ransomware out there, both for Windows and Apple. Yikes.
This new variant of CryptoWall also has a feature that checks if it runs in a Virtual Machine environment and makes sure if it runs in any kind of emulated environment. If it detects this is the case, it does not execute in that environment to make malware analysis either impossible or much harder. This new version also still uses the TOR network so that network traffic is anonymized and hard to trace back to the command and control server. You can read the Cisco Talos group analysis at their blog.
I know I'm starting to sound like a broken record, but stepping your end-users through effective security awareness training is a must these days. Find out how affordable this is for your organization.
