A brand new, slimmed version of Cryptowall is now available. It features no built-in exploits, which is another confirmation of the growing trend for ransomware to be spread mainly via exploit kits. The kits, among which Nuclear, Angler and Hanjuan, have been recently incorporating with success Flash Exploits with a mixture of ransomware and malware.
Yesterday, the Cisco researchers have published a report on a new sample examined by the Talos research team. The researchers believe that this sample is a third-generation of Cryptowall, named Crowti. The encryption levels of Cryptowall 3.0 have been seen in the previous versions of the ransomware. That ransomware grabs files that are stored on a compromised computer and encrypts them, asking for a ransom in exchange of an encryption key that will release these files.
Just like with the previous versions, Cryptowall 3.0 is communicating through anonymity networks such as I2P in order to preserve the secret nature of the communication between the infected computers and the command. This version, however, has removed many features besides the usage of multiple exploits in the dropper. Among them is the ability for switching between the 32-bit and the 64-bit operation, and the removal of a check whether the code is viral machine executing, as an indication that software or a security researcher is on the other side. Cisco was surprised to discover in the sample a dead code and API Calls that are useless.
According to the Cisco report, the lack of exploits in the dropper is an indication that the malware authors are focused more on using the exploit kits as an attack vendor, as the functionality of the exploit kits can be used to gain the system privilege escalation. If there is no privilege escalation that makes attempts to turn off many of the enabled security features, it is likely for the system to fail. Cisco confirmed that the decryption is happening on three stages as the dropper reads, decrypts and then stores the code before executing the PE file that has the ransomware.
Microsoft also published a research on Cryptowall 3.0 in January. A few days after the start of the new year, the company noticed a short spike in activity, later confirmed by Kafeine, a researcher from France who specializes in the activity of the exploit kits. Microsoft and Kafeine further stated that Crowti strains are communicating through I2P and Tor.
The victims of the ransomeware are provided an image file with details on how to do the payment. Usually that is through Bitcoin or another payment service. That information comes with instructions on how to install the Tor browser.
The Crowti recent activity comes after a period of quietness since last October when Microsoft reported 4000 infections in the system, more than 70 % of which being in the United States. Cryptowall 2.0 was accepted as a version of the ransomware family with the 64-bit detection capabilities, where the executable was covered under encryption layers and communication through privacy networks.
Cisco’s report on Cryptowall 3.0, issued yesterday, includes details on the respective decryption stages, the binary building, the creation of processes and the URLs used for the communication. Just like with the past versions, the secret lies in the stopping of the initial attack vendor, no matter if it is drive-by download or a phishing email.
Critical to the ransomeware combat and its prevention from holding the user’s data as hostage is the blocking of initial phishing emails, the blocking of malicious process activity and the blocking of network connections to malicious content. Further critical to the overcoming attacks to the user’s data is the establishment of serious and regular backup and restore policy. In that way the important data will be saved, no matter if the device is subject of natural disasters or malicious attacks across the network.