The Cryptowall ransomware has evolved into a third-generation baddie, with a streamlined dropper and new functionality such as incorporating I2P anonymous network communication.
According to an analysis from Cisco, the updated dropper is the main change in the new variant; it is much more streamlined in functionality, and many of the dropper features deployed in Cryptowall 2.0 are no longer present in the 3.0 sample.
The latest 3.0 sample comes wrapped in a zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary. But, several dropper features have been removed, including multiple exploits and an anti-VM check to prevent it from running in virtual environment.
It’s likely that the changes indicate that Cryptowall’s authors are focusing more on exploit kits as an attack vector.
“Examining the dropper in the 2.0 sample indicates that it includes a lot of useless API calls and dead code,” said Cisco researchers Andrea Allievi and Earl Carter, in the analysis. “Apparently the dropper for this version of Cryptowall has been streamlined.”
They added, “The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system. Without privilege escalation, attempting to turn off many enabled security features on the system is likely to fail.”
They also found that Cryptowall 3.0 acquires much of system information (like the computer name, main processor speed and type, and so on), and generates a global MD5 used as Victim ID. Much of this is sent back to the command and control server using anonymous networks. This includes adding support for the “invisible internet project,” known as I2P.
“One of the new features of CryptoWall 3.0 is the usage of I2P network,” they explained. “Ransomware variants continue to try to improve the stealth of their network communications using networks such as Tor and I2P.”
For web users, identifying and stopping ransomware variants requires a layered security approach.
“Breaking any step in the attack chain will successfully prevent this attack,” the Cisco researchers said. “Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage.”
Establishing a solid backup and restore policy is also crucial to overcoming attacks to data.