UPDATED: Everything You Need To Know About CryptoWall
Recently, we noticed a mounting number of ransomware and a difficulty in the online sphere to provide solutions and take measures. If last year, we had the rise of CryptoLocker variants, like CryptoWall, CryptoLocker V2, Cryptodefense or Zerolocker, this year we see they continue their online spam campaigns and make big headlines in the security press.
Last weeks we talked about CTB Locker, one of the latest ransomware variants of CryptoLocker. Now we discover another large campaing run by CryptoWall 3.0, another powerful variant that resists normal detection and it’s still not detected by most antivirus security solutions.
What is CryptoWall?
CryptoWall is an advanced piece of malware, a variant of last year’s CryptoLocker, which has been taken down at the beginning of the year by a number of security companies and state agencies across the world.
Nevertheless, we all expected a comeback, which took place a few weeks ago with CTB Locker and these days with CryptoWall 3.0, which launched a massive attack on German users.
Like most data stealing malware and ransomware, CryptoWall spreads mainly through phishing and spam campaigns that invite users to click a malicious link or access an e-mail attachment. At the same time, the cyber-criminals included CryptoWall code in websites ads in order to increase its online distribution.
As we have already said it in other articles, we are dealing not only with advanced pieces of malware, but with an advanced infrastructure that can resist detection and take-down attempts for a while, with an impressive number of servers controlled by online criminals.
What’s New About CryptoWall 3.0?
Security analyst, Kafeine, presented in a blog post that one of the main differences between the present CryptoWall 3.0 version and the previous ones is that communication with the C&C servers uses the RC4 encryption algorithm and it employs not just the TOR network, but also the I2P anonymity network, both of them being used mainly to conceal the identity of the user. Or cyber-criminals in our case.
Apparently, CryptoWall 3.0 is the first version of this ransomware that uses the I2P for communication purposes with the malicious servers.
Another interesting difference is that CryptoWall now presents localized messages towards the victim. In the example from Kafeine, we find that ransomware can deliver the message in French or English.
How does it spread?
As we said above, CryptoWall spreads its infection by mainly using spam campaigns. One of these campaigns are now at large hitting a great number of users in Germany and Denmark. You can find below an example of such an e-mail that is sent out to a number of users and which pretends to be an important invoice written in German.
It comes with the subject line: : “RechnungOnline Monat Februar 2015 (Buchungskonto: 7818210382)“.
When the user opens the e-mail, the targeted victim is asked to follow a link. If the victim clicks the link, the malicious payload from compromised domains will deliver the encryption key on the system.
More information about the latest version of CryptoWall 3.0 can be found in this article from Microsoft.
How does it work?
We will present shortly the main events that take place in the infection phase:
1. The infection starts with an e-mail received by the victim, which contains a link that is connected to a number of compromised domains.
2. When the potential victim follows the link, a downloader is placed on the system.
3. The downloader connects to a number of domains controlled by hackers, from where it can download CryptoWall.
4. One of the domains sends back and installs CryptoWall on the system.
5. The ransomware encrypts the system data.
6. A warning is presented on the screen with instructions on how to pay for the decryption key.
How can I keep my data protected from CryptoWall 3.0?
Our security analysts recommend the following security measures to keep your computer safe from CryptoWall:
- Don’t access links in e-mails from people you don’t know. This is the main spreading method for CryptoWall.
- Don’t click links in e-mails you receive from unknown e-mail addresses.
- Create a Backup for your most important data. Keep the backup in a different location from your actual operating system. In case your system is infected with CryptoWall, you will not be able to access the backup.
- Make sure your security solution detects and blocks CryptoWall. At this moment, Heimdal is one of the few software solutions that detect this ransomware.
- Increase your online protection level by adjusting your web browser security settings.
- Keep your Windows operating system and your vulnerable software up-to-date with the latest security patches.
How does Heimdal Security keep me safe?
First, don’t access e-mails from people you don’t know and don’t click any links in those e-mails.
And second, in case you follow the link by mistake and the downloader tries to communicate with the compromised domains, Heimdal will block the communication from sending CryptoWall on your system.
At this moment, Heimdal security analysts have already blacklisted 15 hacker controlled domains. We will return with more details on the compromised domains.
2014 was not just the year of massive data breaches and corporate losses, it was also the year when important steps have been taken in fighting cyber-criminal actions by stopping the spread of data stealing malware and infamous
ransomware, like CryptoLocker and its variants.
And all these security actions and their results provided lessons for most of us.
What we learned is that ransomware infections are feared by everybody, not only because you need to pay money for your data, but because you don’t know if you’ll be able to recover that information once you pay. And there is
really little you can do when this happens.
Therefore, we recommend that you pay attention to the received e-mails and the online locations you access, because we are dealing with trained cyber-criminal minds that are only interested in economic and financial gains.
Don’t go online without protection!
We will keep you up-to-date with the latest events as they continue to develop.
This post was originally published by Aurelian Neagu in February 2015.