Inside Cryptowall 2.0 Ransomware

An analysis of Cryptowall 2.0 reveals that the ransomware relies on complex encryption routines and sandbox detection capabilities to survive. It also uses Tor for command and control, and can execute on 32- and 64-bit systems.

If you need more evidence that ransomware is here to stay, and could turn into cybercriminals’ weapon of choice, look no further than Cryptowall.

Researchers at Cisco’s Talos group today published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

“They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.”

Cryptowall emerged close to a year ago and attackers have used it to generate noteworthy profits. Unlike first-generation ransomware that would lock a computer and generate a phony message informing the victim their machine had been seized because of illicit online activities, Cryptowall and its cousin Cryptolocker upped the ante and encrypted files on compromised machines. The malware demands a ransom for the decryption key to restore the user’s data, a key that many times is not delivered even if the ransom is forked over.

Such ransomware is delivered most often via phishing campaigns or links to websites hosting exploit kits. For the particular sample analyzed by Cisco, the means of infection was last summer’s Windows TrueType font-parsing vulnerability which enables an elevation of privileges on a machine. A dropper was built for 32-bit machines, but could also came with a 64-bit DLL that could execute on AMD Windows machines, Carter said.

“This one took from the best of both worlds; it would start with a 32-bit exploit that could also take advantage of 64-bit AMD processors. Just the fact that it was so seamless, that it could back and forth between the two however it needed to was noteworthy,” Carter said. “Normally it’s doing one or the other.”

The Cisco report goes into great detail about the stages of the various decryption routines used by Cryptowall 2.0, all in the name of avoiding detection by antimalware and intrusion detection software.

“It’s a pretty simple check looking for a common executable for VMware or (Oracle’s ) VirtualBox,” Carter said. “If it detects either, it assumes it’s in a virtual sandbox and will not execute. At that point, you don’t even have the [Cryptowall] code, just the dropper and not the actual Cryptowall binary that will run.

“Everyone has a sandbox in a virtual environment, and they’re trying to avoid that initial detection so it won’t pop up and execute in the sandbox,” Carter said. “It’s hard to identify the sample as malware, and there’s a chance it will slip through and attack more systems.”

News that Cryptowall was using Tor for command and control emerged in the fall, though it was not the first to do so. Malware and other scams have become increasingly present on Tor, which hides a packet’s originating IP address.

“Using Tor just makes it harder to identify the command and control on the back end,” Carter said. “It’s not obvious it’s command-and-control traffic going across your network. You’ll see Tor traffic, but you can’t get to the underlying information to see the distinction.”

Suggested articles


  • Dmoore on

    I had Cryptowall 2.0 in November 2014. At work, it encrypted my desktop, my drive to our work server (which locked up the company shared software), as well as our attached backup drive to the server. I paid the ransom ($500) and received my "key" to decrypt everything within a half hour. It worked, I got it all back. Most frustrating thing was purchasing bitcoin, which took several days (aside from supporting hackers of course).
  • Simon on

    I found a chink in its Armour: “It’s a pretty simple check looking for a common executable for VMware or (Oracle’s ) VirtualBox,” Carter said. “If it detects either, it assumes it’s in a virtual sandbox and will not execute. Find what files it looks for and run them int he background, this will prevent it from running, killing before it can do anything
    • David on

      Problem here is that these viruses evolve constantly, you can bet the authors of the virus already read that article. They will have a modified version of the virus soon and putting those processes in the background will only give you a false and dangerous sense of security.
  • Tony Butt on

    I would also have serious qualms about sponsoring hackers. I guess it's a good argument for backing up frequently and often, and finding some disaster recovery strategy to rebuild key machines. Haven't had to do it. This is basically a protection racket... Have a look for the AddioPizzo campaign in southern Italy for some inspiration.
    • Bony on

      Cryptowall also encrypts connected USB external backup drives and any data located on mapped network drives. Carbonite backups get encrypted too but they can save the day if you escalate to a level 2 tech. He/she will restore a backup for you from last week.
      • Tony on

        We use tape backups, and data safety is precisely why.
  • Anonymoose on

    Criminals with an (encrypted) heart of gold...
  • Nope on

    @Dmoore -- You should consider (or at least inform IT) to remove administrators right from everyone's pc, change the domain admin password and start implementing security and best practices policies. The fact that an end user got infected should not have affected the servers or the attached backup drive since the software would not have ran on the server unless someone went into the server and executed. I understand that it would have affected the network shares that the end user has access to but the servers themselves, that just sounds like bad security.
    • dmoore on

      I am the owner of the business, and the admin. I do have an IT person and internet security. I never open emails from people I do not know. I am somewhat sophisticated in phishing scams, etc. He believed I probably got it from an infected ad on a banner on a yahoo page. I don't recall being on a yahoo page though. It encrypted all the drives on my computer, including the one to our server which caused our shared software to be unusable. It infected the drive to the attached backup on the server which is backed up remotely every night and always attached. I have since invested in a better internet security with Kaspersky. The $500 ransom was a small sum (IMO) to pay (and risk), not to lose 8 years worth of records in my small business.
  • Gary Miller on

    It would seem that Malware of this nature would fall under laws covering extortion. Since the penalties can be at least one year in prison for each count of extortion it would seem the FBI could put the people behind this Malware away for a year per extortion attempt. And restitution and a fine of $10,000 per count. This would seem to be a lot more severe than a normal hacking conviction and could put the perpetrators away for life if convicted on multiple counts.
  • Mike B on

    A lot of malware won't execute in virtual environments so as the second comment asks how can I make my box look like a VM?
    • timeless on

      Do yourself a favor. Just install VirtualBox and install your OS inside the VM. Don't run anything outside of VirtualBox. Set up your host system so that it creates daily snapshots of your Virtual Machine. FWIW, OS X 10.8/10.9/10.10 run nicely inside VirtualBox on 10.8/10.9/10.10 -- and it's allowed under the OS X license. (Windows 7/8/8.1/10 also run nicely in VMs.) Very little software really needs to be on raw hardware. In those rare cases, you should be extra careful about what it is, and why it is. Personally, I'd encourage you to get a distinct box for that software.
  • parad0x on

    @Nope - You clearly have NO idea how these crypto ransomwares work. The first thing they do is look for network drives/files to attack, as this is generally where valuable data resides. It does not need to execute on the server at all, it merely needs to be able to write to a file, in order to encrypt it. I suggest you do some more research before offering your advice to someone directly affected.
  • Nate on

    The suggestion above is reasonable if you aren't running anything too resource intensive. I assume this preventative measure wouldn't work on a bare metal hypervisor though?
  • someguy on

    Just passing by but best practices state you should have a backup secured offsite-(in a SOHO network I would accept a disconnected external) AV is one layer of protection but there is no such thing as 100% security. We don't know it is malware or a virus until it is- backing up your files would have saved you 500 bucks and a couple of days-
  • victorious_victim on

    The best defense against this malware is a solid backup. We got hit with this (via a malicious ad banner) back in October of 2014. It got in via a user logged into one of our Citrix servers running in a Virtual Machine (on Xenserver) with an modern AV package (tho it didn't detect the Virus until the next day while I was doing analysis. After shutting down the network and scanning all the servers I was able to restore all of the damaged files without forking over anything. Total downtime was 6 hours. We have over half a million data files and it only touched 1100 thanks to quick thinking and slow execution. I did take additional steps to lock things down a little more but at the end of the day you aren't going to be able to completely eliminate the threat without sacrificing usability. But you can prepare and reduce the extent and cost of the damage.
  • Yar on

    Question. I do frequent, incremental data back-ups. Every few months I do a complete Data only backup. Backups are stored off site, unpowered, disconnected from everything. Software I don't care about as I can reinstall from the original source. If I have to restore from backup, is there a chance I will also be restoring the crypto virus. Could I have been infected, and not known it, before it locked the computer. Will formatting the system OS disk,fresh install of the OS, from DVD, then restoring data from backup really clean my system, or will the virus just come back to life and nail me again. Thanks in advance.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.