| We need Your Support. Make a Donation now! or |  |
Brad Duncan is a Security Analyst at Rackspace, where he investigates suspicious network activity. Reviewing alerts on web traffic from Rackspace offices world-wide, we occasionally discover domains hosting exploit kits or other malicious files. Our researchers investigate these leads to gather malware samples, identify threat actors, and determine other indicators of malicious activity. This blog entry discusses one such recent investigation.
…
A new version of CryptoWall was reported in January 2015. CryptoWall is now at version 3.0. This new version appeared after approximately 2 months of hiatus during the recent 2014 holiday season [1].
CryptoWall is a form of ransomware. This type of malware encrypts personal files on a computer and demands a ransom payment before the affected user can recover those files. CryptoWall is designed to infect computers using Microsoft Windows.
Previous versions of CryptoWall were spread through malicious emails, and the malware also came from exploit kit traffic generated by compromise websites. Initial analysis of CryptoWall 3.0 indicates the malware’s authors may now focus exploit kits as an attack vector [2]. This matches our observations. So far, we’ve only seen CryptoWall 3.0 only from exploit kit traffic. This includes Magnitude and Fiesta exploit kits.
Below is an example of Fiesta exploit kit traffic on 2015-02-19. It also includes callback activity from the infected host caused by CryptoWall 3.0.
Shown above: Wireshark display of Fiesta EK traffic and CryptoWall 3.0 callback activity.
In the above image, Fiesta exploit kit comes from the myftp.biz domain on 69.64.49.212. Everything else is callback traffic generated by the CryptoWall 3.0 infection. More information on recent Fiesta exploit kit activity can be found at blog.0x3a.com [3].
The CryptoWall sample from this traffic was submitted to Malwr.com. If you’re registered with Malwr.com (very simple to do), you can retrieve a copy of the malware at:
https://malwr.com/analysis/MDkwOTQwMzU4MWQ1NGRhNWFlYzEyZmIyNzBkYzZlZWI/
When first seen, this CryptoWall 3.0 sample had a very low detection rate as seen on VirusTotal.
Shown above: A user’s Windows desktop after an infection by CryptoWall 3.0.
If your Windows computer is infected with CryptoWall 3.0, you’ll find items on your desktop that provide instructions to retrieve your personal files.
Shown above: A user’s Windows desktop after an infection by CryptoWall 3.0.
You’ll have a text file, HTML file, link to a web page for decryption instructions, and PNG image as shown below:
Shown above: PNG image with the decryption instructions.
In order to access instructions to decrypt your files, you’ll have to get past a CAPTCHA screen.
Shown above: CAPTCHA screen before the decrypt service.
After the CAPTCHA screen, you’ll find instructions to decrypt your files. These instructions contain the bitcoin address to send your ransom payment.
Shown above: Decrypt instructions with a bitcoin address for the ransom payment.
The bitcoin address for the ransom payment is: 15WUYqKerTtxi4rUEmnakw5gRMkr3nZCQd
You can find the transaction history on this bitcoin account through websites like blockchain.info or bitref.com. While doing this blog entry, we checked this bitcoin account, and it did not have any transactions.
Shown above: Information on the CryptoWall sample’s bitcoin address.
What should you do if your computer becomes infected with CryptoWall 3.0? On a practical level, you cannot get your data back without paying the ransom. However, security experts disagree on whether or not to pay [4]. You have no guarantee the malware authors will provide the decryption key, and paying the ransom enables the authors to continue their criminal activity.
The best defense is regularly backing up your data to a storage device that does not reside on your computer. If you never backup your data, you might find yourself at the mercy of CryptoWall or other ransomware.
References:
[1] http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx
[2] http://blogs.cisco.com/security/talos/cryptowall-3-0
[3] http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an
[4] http://www.npr.org/blogs/alltechconsidered/2014/12/08/366849122/ransomware-when-hackers-lock-your-files-to-pay-or-not-to-pay
This is a post written and contributed by Brad Duncan.
Brad Duncan is a Security Researcher at Rackspace specializing in network traffic analysis and intrusion detection.
After more than 21 years doing classified intelligence work for the US Air Force, Brad began a new career in cyber security. He has been a Racker since 2012. In 2013, Brad started a blog at www.malware-traffic-analysis.net as a way to share technical information with like-minded security professionals.
