Check Point Threat Alert: Cryptowall 4

Executive Summary

  • Ransomware is a type of malware that restricts access to an infected computer system and demands a ransom payment to remove the restriction.
  • Some ransomware encrypt the files on the system’s hard drive, while others may simply lock the system and display threatening messages to force the user to pay.
  • Cryptowall is a ransomware Trojan which targets Windows. It first appeared in early 2014.
  • The latest version, Cryptowall 4.0, appeared in November 2015 and it is considered a very prevalent ransomware.




  • Cryptowall 4.0 is the fourth version of the popular ransomware. It recently emerged with improved encryption tactics and better evasion techniques that help it deceive some antivirus platforms.
  • Cryptowall 4.0 can exploit many more vulnerabilities than the previous versions. It is also better at staying under the radar and avoiding sandbox detection.
  • Cryptowall 4.0 includes advanced malware dropper mechanisms to avoid antivirus detection.
  • Detection rates of Cryptowall 4.0 in certain anti-virus and firewall products have decreased significantly compared to the previously successful Cryptowall 3.0 ransomware.

Check Point Protections

  • Check Point Anti-Virus and Anti-Bot blades protect against Cryptowall 4.
  • This includes a wide variety of network signatures, C&C URLs and file hashes.
  • Check Point protections block Cryptowall’s communication with its C&C, preventing it from fetching encryption keys and encrypting the victim’s files.

Check Point Observation & Guidance

  • Check Point analysis showed that almost no changes in the communication methods with the C&C domains occurred between Cryptowall 3 and Cryptowall 4. Therefore the same network signatures apply to both.
  • Check Point continues to monitor and follow up on C&C domains for all versions of Cryptowall.


Encrypting Ransomware:
Technical Description: