It’s been the norm in the cybersecurity industry to be intrigued and at the same time be infuriated by the people behind any successful large-scale malware attack. Ransomware is one such example. It’s been slowly released in the wild since the early 2009, but CryptoWall redefined the meaning of ransomware and took it to the next level. Early ransomware used file sharing sites to upload infected files disguised as a normal file that could be downloaded by anyone. Once downloaded, it would run through the user’s machines and start encrypting the user’s data or locking their machines. So how did the CryptoWall evade our traditional defender – antivirus? We’ll break down just how CryptoWall did it:
ACT I: Setting the Stage
Communication is the most common tool in any business today. CryptoWall authors have been scraping the Internet for any published company email addresses (usually available via marketing sites) to use as the entry point of the attack. These sourced email addresses are then blasted with phishing emails. These phishing emails are crafted in a way that makes the receiver think it’s an important email and should be read and understood properly. They usually contain a link to a direct download or a file attachment of CryptoWall – unbeknownst to the user. The encryption starts when the user clicks.
Here is the sample of a ransomware-laced email disguised as a booking.com email:
Booking.com email example
ACT II: The Latest CryptoWall 4.0 Disassembled
CryptoWall 4.0
Md5: e73806e3f41f61e7c7a364625cd58f65
On the initial infection, the sample resolves the addresses of all the API functions that it needs to call later. This is done by means of a list of hashes, one for the name of every API call. This way the malware does not have to use an import table or store API names directly as strings.
Next, the malware gathers the following system information:
- ComputerName
- UserName
- SystemDrive serial number
- CPU INFO (using PROCESSOR_IDENTIFIER)
- Number of CPUs (using PROCESSOR_Level)
- Revision Number of CPU (using PROCESSOR_REVISION)
- OS Major version
- OS Minor version
- IsWow64
- Keyboard Layout
Among the loaded modules are DLLs related to Windows Crypto API (CRYPTSP), Windows 7 Enhanced Cryptographic Provider (RSAENH). This suggests that the malware is going to perform some cryptographic operations.
It will create the md5 hash of the victims PC using the above system information by using the following API sequence:
- CryptAcquireContext
- CryptCreateHash ; Algorithm ID = CALG_MD5 0x00008003, hash key: nonkeyed algorithm (0)
- CryptHashData
- CryptGetHashParam
Example:
The malware will inject code in a newly spawned child process – Explorer.exe – using the following APIs:
- ZwCreateSection
- ZwMapViewOfSection
- ZwAllocateVirtualMemory
- ZwWriteVirtualMemory
- ZwProtectVirtualMemory
- ZwQueueApcThread
- ZwResumeThread
It will create a copy of the original file in the %APPDATA% folder and create AutoStart Registry entry.
The injected code will be responsible for disabling system protection, as well as deleting all the system shadow copy and injecting code in a newly spawned process, svchost.exe.
Deleting shadow copies, allowing the malware to disable file recovery services.
AV Limitations:
– Emulation TimeOut
Disable system restore
Execution continues in the svchost.exe process. This process formulates the commands needed to communicate with the C&C server. It will also gather the above system information and generate an md5 hash of the victims PC that will be used in communicating with the C&C server.
Some of the C&C servers:
C&C servers
The network communication is using HTTP, but with an encrypted payload. It will try to establish a connection in one of the following I2P proxy through I2P URLs. Once it succeeds, it will send a POST request with the encoded string request.
CryptoWall stores the following information inside a configuration file:
- Received public key binary data
- TXT
- HTML
- PNG
The last three files will be written in each folder of the victim’s system after the file-encryption process.
- Normal file behavior
- Payload after multiple layers of encryption
ACT III: “It’s like I left my keys inside my car”
If you’ve ever locked your keys inside your car, you know how irritating it feels. You know where they are, but you can’t do anything about it and you have to pay a locksmith to open it for you – or get real crafty with a wire coat hanger. Ransomware is a lot like that: Your most precious information and data has been held for ransom, and there is a chance that it could be released to the public – and you have no way to stop it.
HELP_YOUR_FILES.HTML
Once CryptoWall has finished encrypting your files, it will launch the ransom notes that explain what happened and how to purchase the decrypter.
For an even deeper dive into CryptoWall, check out our analysis of CryptoWall 4 here.
ACT IV: Finding Solutions to Guard Against Ransomware
The bright spot in all this is that, if you can see the trend of the infection, there are lots of points where we can actually stop CryptoWall.
The first stop is via email. Advanced email defense solutions designed to catch malware that evades traditional defenses is a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop CryptoWall from encrypting and taking the data from you.
The next defense is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.
The post The Day the Earth Stood Still for CryptoWall appeared first on ThreatTrack Security Labs Blog.