WatchPoint Security Blog

Ransomware - Crypto Locker 2.0

Written by Nathan Studebaker | January 22, 2015

Ransomware: Cryptowall 2.0

In the "old" days, malware and viruses were primarily an annoyance. They would slow your system down, fill your screen with popups and annoying ads, and sometimes they would even hide shared network folders. But the cleanup was simple as you could remove the virus by running a virus scan in SAFE mode. Back then you really didn't have to worry about any compromise of security or any sensitive data leaving the network as a result of being infected. Unfortunately, those days are long gone.

 

Ransomware allows malware distributors to profit from their infected hosts. Now that financial gain can be accomplished, attackers are very motivated to develop and evolve more sophisticated malware that can cause great harm to a business. It’s no longer a hobby, it’s a job - and a very profitable one for some.

Tor - Anonymous Internet

Cryptowall 2.0 uses Tor as a way to receive payment from their hostages while maintaining their anonymity. You can read more about Tor by using the following link (https://www.torproject.org/) but to summarize, Tor allows Internet users to remain anonymous on the Internet. It uses several layers of encryption to hide their public IP address. When you visit a website using Tor, your true identity is unknown. This technique makes it almost impossible for authorities to track down the true identity of the attackers.

Cyryptowall 2.0 also integrates anti-vm and anti-emulation detection. This makes reverse engineering the virus more difficult and time consuming. Reverse engineering and debugging the virus is what antivirus and anti-malware companies do, in order to create signatures and identifiers for their products. Companies that produce antivirus and antimalware products often have to infect themselves in order to learn more about how the virus works. By infecting themselves, anti-malware developers can take a look "under-the-hood" and develop ways to prevent and remove infections.

Evolved Malware

Cryptowall 2.0 is certainly an evolved malware but it still infects areas of the operating system that are common among many malware variants. For example, Cryptowall 2.0 infects the %AppData% directory and the commonly used ‘HKCU\Software\Microsoft\Windows\Current\Version\Run’ and ‘HKCU\Software\Microsoft\Windows\Current\Version\RunOnce’ registry keys. Because Cryptowall 2.0 infects the same areas as other malware, technicians can setup identifiers to alert any unusual activity in those areas. It should also be noted that Cryptowall 2.0 deletes and disables VSS snapshots and recovery points, which is why having a sound backup strategy is paramount.

Importance of Automated Patching

Ransomware and other variants use multiple attack vectors in order to compromise a host. Rarely is there a single exploit that allows for these attacks to gain a foothold on your system. Instead, an attacker has to combine multiple exploits in order to gain a position of advantage. This is why WatchPoint Data continues to advocate the importance of a sound security policy. Security is not a single device or piece of software, rather security is a layered design that incorporates many overlapping technologies. Ransomware and other variants require a chain-of-attack in order to compromise a system. So by stopping just one link in the chain, you can prevent the attack from happening.

Latest Crypto Behaviour