CryptoWall has evolved and is frustrating security researchers.

Once a little brother to the more dangerous CryptoLocker, it has improvements that make it harder to detect and study. CryptoLocker virtually disappeared once law enforcement shut down the Gameover Zeus botnet that was used to distribute it.

Earl Carter, a researcher with Cisco Talos said: “It keeps evolving.” Cybercriminals “seem to be continually morphing things, trying to make it more effective.”

The sample of CryptoWall analyzed by Cisco was sent via email in a “.zip” attachment. If opened, the malware will check to see if it is running in a virtual machine, according to Carter.

The hackers don't want researchers to look at the malware in a virtual machine. If CryptoWall finds it is not in a VM, it continues to decrypt itself. It then communicates with command-and-control servers using the Tor network.

Unfortunately, researchers are unable to see the IP addresses of the servers that CryptoWall connect to.