CryptoWall 4.0 has been released that displays a redesigned ransom note, new filenames, and now encrypts a file’s name along with its data. We were alerted to this new variant by various members who have posted about being infected by what was being called the help_your_files ransomware. Once we were able to analyze a sample, though, it was quickly determined that this was in fact a new version of CryptoWall. For those who may have become infected by this variant, you can visit the dedicated CryptoWall 4.0: Help_Your_Files Ransomware Support Topic to discuss the infection or receive support on it.
The most significant change in CryptoWall 4.0 is that it now also encrypts the filenames of the encrypted files. Each file will have its name changed to a unique encrypted name like 27p9k967z.x1nepor 9242on6c.6la9. The filenames are probably encrypted to make it more difficult to know what files need to be recovered and to make it more frustrating for the victim.