A ransomware is a type of malware that encrypts user files on victim computer or network. The attacker then demands a ransom from the victim in exchange for the decryption key. CryptoWall is a family of such file-encrypting ransomware. It first appeared in early 2014 and has numerous variants including Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. The early variants used RSA public key for file encryption, however, the new versions use AES key for file encryption. The AES key is further encrypted using a public key. This makes it impossible to get the actual key needed to decrypt the files.
Mode Of Infection:
Traditionally, CryptoWall ransomware was distributed via exploit kits. But, now spam emails are also used to infect the victims. The spam email contains RAR attachment that includes a CHM file. When the victim opens the CHM file, it downloads ‘CryptoWall binary’ to the system and copies itself into the %temp% folder.
CHM file – Compiled HTML or CHM file is an interactive html file that is compressed inside a CHM container and may hold other files such as JavaScript, images, etc. inside it.
Execution:
- The Cryptowall binary downloaded on the system is compressed or encoded. Useless instructions and anti-emulation tricks are deliberately inserted in the coding to break AV engine protection.
- On execution, it launches a new instance of explorer.exe process.
- In the next step, the ransomware injects its unpacked CrytoWall binary and executes the injected code.
- The original process automatically exits itself after launching the injected explorer process.
- The files are encrypted and the ransomware deletes the volume shadow files using ‘vssadmin.exe’ tool. This makes sure that the encrypted files may not be recovered.
- The CryptoWall binary is copied to various locations such as %appdata%, %startup%, %rootdrive%, etc. The copies are added to the auto start key to help them stay persistent even after the infected system is rebooted.
- A new svchost.exe process is launched with user privilege and malicious binary code is injected into it.
- The ransomware connects to I2P proxies to find live command and control server.
- The server replies with unique encryption key generated specifically for the target system. The key starts the file encryption thread and drops ransom notes in all directories.
- Finally, it launches Internet Explorer to display ransom notes and the hollowed svchost process kills itself.
Protection:
- Keep antivirus up-to-date
- Back up the files
- Apply windows update regularly
- Avoid clicking random emails
- Disable remote desktop connections
- Block binaries running from %appdata% and %temp% paths
For more information on Cryptowall ransomware, contact Centex Technologies at (254) 213 – 4740.