The increasing sophistication makes CryptoWall attacks harder to prevent. The rest of the tactical framework, though, does not appear to be undergoing substantial changes. Just like before, the virus scans an infected machine’s hard drive sectors in search for data to capture. The basic markers used to detect the victim’s personal information are file extensions, with a special focus on popular ones like .jpg, .doc, .xls, .ppt, etc. Anything on letter-assigned HDD volumes that fits in this criteria space is eventually encrypted with RSA-2048, a very strong public-key crypto standard. All such files become henceforth impossible to open.
CryptoWall then displays a warning screen with the essentials of what happened to the information. It additionally pops up a file named HELP_DECRYPT off and on, providing Tor links to one’s personal page where the ransom payment transaction can be completed. The amount to pay for reinstating the files is $500, and the user is supposed to submit this fee in Bitcoins, a currency that makes the receiving party very problematic to identify and track down. It’s namely because of the Tor and Bitcoin related operation that attribution of the fraudsters is an egg-dance.
Using automatic recovery tools for restoring the data is barely effective, because CryptoWall encrypts file copies after deleting the original items with multiple overwrite passes. The Volume Shadow Copy Service, a file backup feature built into Windows, may be of help but its efficiency depends on a number of conditions. The applicable data restoration techniques beyond submitting the ransom are covered on trusted security websites, so anyone infected should give those tips a shot. Source: http://nabzsoftware.com/types-of-threats/cryptowall-4-0