Cryptowall 3.0 Slims Down, Removes Exploits From Dropper

Research from Cisco on Cryptowall 3.0 ransomware shows that exploits have been removed from the dropper, indicating that the group behind it will rely instead on exploit kits.

A slimmed down version of Cryptowall is in circulation, and this one contains no built-in exploits, confirming a growing trend that most ransomware will be spread almost exclusively via exploit kits.

Kits such as Angler, Nuclear, and most recently Hanjuan, have been busy incorporating Flash exploits dropping a mix of click-fraud malware and ransomware with great success and greater profits.

Researchers at Cisco today published a report on a new sample that its Talos research team looked at, which they believe is a third-generation of Cryptowall, which is also known as Crowti.

Cryptowall 3.0 contains levels of encryption seen in previous versions of this ransomware, which grabs files stored on a compromised computer and encrypts them, demanding a ransom in exchange for the encryption key.

Like other versions, Cryptowall 3.0 also communicates over anonymity networks, in this case the I2P network in order to keep communication between infected computers and command and control a secret. But unlike other versions, this one has removed a number of features beyond the use of multiple exploits in its dropper. Those include the ability to switch between 32- and 64-bit operation, as well as the removal of a check as to whether the code is executing in a virtual machine, indicating perhaps that a security researcher or software is on the other end. Cisco said, to its surprise, it discovered dead code and “useless” API calls in this sample it snared.

“The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system,” Cisco said in its report. “Without privilege escalation, attempting to turn off many enabled security features on the system is likely to fail.”

Decryption, Cisco said, happens in three stages where the dropper reads, decrypts and stores code before executing the PE file containing the ransomware.

Microsoft published its own research on Cryptowall 3.0 in January, noticing a brief spike in activity shortly after the new year, something that was confirmed by French researcher Kafeine, who specializes in exploit kit activity. Kafeine and Microsoft said those strains of Crowti also communicated over Tor and I2P. Victims are presented with an image file with details on how to remit payment, either through Bitcoin or a payment service, along with instructions on how to install the Tor browser. Crowti had been relatively quiet since a late October surge when Microsoft reported 4,000 system infections at its peak, 71 percent of those in the United States.

Cryptowall 2.0 was a beefy version of this ransomware family with its 64-bit detection capabilities, hiding the executable with layers of encryption and communicating over privacy networks.

In today’s report on Cryptowall 3.0, Cisco has a lot of detail on the respective decryption stages, how the binary is built, the processes that are created, and URLs it uses for communication. Like past versions, stopping the initial attack vector, be it a phishing email or drive-by download, will put a halt to the hack.

“Blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage,” Cisco said. “Establishing a solid backup and restore policy is also crucial to overcoming attacks to your data, whether they occur from natural disasters, such as a storm, or whether they occur from a malicious attack across the network.”

Suggested articles