by Michael Mimoso January 6, 2015 , 1:36 pm
If you need more evidence that ransomware is here to stay, and could turn into cybercriminals’ weapon of choice, look no further than Cryptowall.
Researchers at Cisco’s Talos group today published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.
“They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.”
Full Article
Inside Cryptowall 2.0 Ransomware
+54
Interesting...but to be honest to be expected. What I am interested about is whether all this 'work' has resulted in a more dangerous threat than existed before and will the likes of Webroot and others need to up their game in the heuristic stakes to detect the malicious actions of this family of malware, or not.
Baldrick
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
1 person likes this
+54I would imagine that the next "family" of Ransomware will use Cryptolocker as a baseline and build it up from there. That seems to be the natural progression of things these days. It is always a case of of trying to keep up with each other or one step ahead of the competition.@ wrote:
Interesting...but to be honest to be expected. What I am interested about is whether all this 'work' has resulted in a more dangerous threat than existed before and will the likes of Webroot and others need to up their game in the heuristic stakes to detect the malicious actions of this family of malware, or not.
Baldrick
1 person likes this
Agreed, and that is whynthere needs to be a continued and increased focus on the use of heuristics since it is the behaviour that these pesky things exhibt that I believe is the keynto dealingnwith them.
Baldrick
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
+54This will interest you @
1/6/2015 By Sara Peters
New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper.
Ransomware continues to become more sophisticated, according to new analysis of CryptoWall 2.0 released by Cisco Talos Security and Intelligence Research Group today. The latest variant uses TOR to encrypt command-and-control traffic, uses anti-VM and anti-emulation checks to impede identification, and can execute 64-bit code directly from a 32-bit dropper.
CryptoWall 2.0 is delivered via email attachments, malicious PDFs, and exploit kits. It uses a privilege-escalation vulnerability in X86-based machines to exploit 32-bit OSes -- starting with Windows Vista -- and includes a 64-bit DLL to work on AMD64 systems.
The malware variant takes advantage of the Wow64 (Windows 32-bit on Windows 64-bit) environment to switch back and forth between 32-bit and 64-bit as need be. As the report describes:
Full Article
1/6/2015 By Sara Peters
New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper.
Ransomware continues to become more sophisticated, according to new analysis of CryptoWall 2.0 released by Cisco Talos Security and Intelligence Research Group today. The latest variant uses TOR to encrypt command-and-control traffic, uses anti-VM and anti-emulation checks to impede identification, and can execute 64-bit code directly from a 32-bit dropper.
CryptoWall 2.0 is delivered via email attachments, malicious PDFs, and exploit kits. It uses a privilege-escalation vulnerability in X86-based machines to exploit 32-bit OSes -- starting with Windows Vista -- and includes a 64-bit DLL to work on AMD64 systems.
The malware variant takes advantage of the Wow64 (Windows 32-bit on Windows 64-bit) environment to switch back and forth between 32-bit and 64-bit as need be. As the report describes:
Another interesting aspect of the sample that we analyzed is that includes some 64 bit code (and an exploit DLL) directly in its main 32-bit executable. Although the main module is running in 32-bit mode, it is capable of executing all the 64-bit functions it needs.
Full Article
1 person likes this
The following article is a update:
CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
At one time, CryptoWall was a second-rate successor to CryptoLocker, which largely disappeared after law enforcement shut down the Gameover Zeus botnet that was used to distribute it.
Ransomware has been around for more than a decade, but cybercriminals have resurrected the scam over the last couple of years with surprising success. Files on computers infected with ransomware are encrypted, and victims are encouraged to pay a ransom -- usually in the virtual currency Bitcoin -- to unlock their files
full article
CryptoWall ransomware variant gets new defenses
By Jeremy KirkCryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
At one time, CryptoWall was a second-rate successor to CryptoLocker, which largely disappeared after law enforcement shut down the Gameover Zeus botnet that was used to distribute it.
Ransomware has been around for more than a decade, but cybercriminals have resurrected the scam over the last couple of years with surprising success. Files on computers infected with ransomware are encrypted, and victims are encouraged to pay a ransom -- usually in the virtual currency Bitcoin -- to unlock their files
full article
+56This is what I don't like to see from this article. :@
"It is coded to run on both 32-bit and 64-bit systems, which increases its chances of running on whatever computer it infects, Carter said. Newer versions of Mac OS X and Windows are 64-bit operating systems."
Also this mostly comes via an email Attachment so the best thing you can do if you don't know who it's from just delete them and don't open and execute the file.
Daniel 😠
"It is coded to run on both 32-bit and 64-bit systems, which increases its chances of running on whatever computer it infects, Carter said. Newer versions of Mac OS X and Windows are 64-bit operating systems."
Also this mostly comes via an email Attachment so the best thing you can do if you don't know who it's from just delete them and don't open and execute the file.
Daniel 😠
+7Well, we all have opinions so here I go with mine…
This is not meant to be all inclusive and there are many other steps that can be taken but here are just a few that I use to protect myself. Computing has been a big part of my life since the days of the TI99 (that’s 1980ish for those who don’t remember it) up through the heavy hitters in the Midrange environment of today. I surf day and night and so far so good.
I realize that it is impossible to circumvent a focused direct attack but there are steps the average person can take to make it a little harder for the bad guys to ruin your day.
Use a good router with a strong built-in firewall. Give some thought when configuring the router settings and your ACL to limit access to whom and what devices you want. Update the firewall firmware whenever a new version is released.
I also use a software firewall on each machine to block inbound and outbound traffic when the system is idle.
Use best practices for configuring Wi-Fi to ensure it is secure as possible.
Keep up to date on all OS patches as soon as they are released.
Use strong passwords on anything password protected.
Don't open email from people you don't know.
Don't open email from people who do a lot of junk email forwarding with or without attachments.
If your curiosity just gets the best of you and you have to open something that is questionable, at least do it as text only (graphics, links, and attachments disabled).
Use browsers that you can secure with the proper settings and security extensions (example: Aviator and Firefox).
Prevent tracking as much as possible by using the browser or WRSA to clear all browsing history when exiting each site and before going to another. After exiting the browser, I clear all browsing history and temp files again with CCleaner or SlimCleaner.
Backup, Backup, Backup. Perform System backups (at least occasionally), not just files. I perform full image backup on Fridays and incremental every day in between. I store one local and one offline so the bad guys can’t get to it. And always validate your backup. The only thing worse than not backing up is having a backup that is no good.
Most importantly take some of the burden off yourself and use WRSA because it won't forget the things that I have not even mentioned.
Stay safe out there,
Dave
This is not meant to be all inclusive and there are many other steps that can be taken but here are just a few that I use to protect myself. Computing has been a big part of my life since the days of the TI99 (that’s 1980ish for those who don’t remember it) up through the heavy hitters in the Midrange environment of today. I surf day and night and so far so good.
I realize that it is impossible to circumvent a focused direct attack but there are steps the average person can take to make it a little harder for the bad guys to ruin your day.
Use a good router with a strong built-in firewall. Give some thought when configuring the router settings and your ACL to limit access to whom and what devices you want. Update the firewall firmware whenever a new version is released.
I also use a software firewall on each machine to block inbound and outbound traffic when the system is idle.
Use best practices for configuring Wi-Fi to ensure it is secure as possible.
Keep up to date on all OS patches as soon as they are released.
Use strong passwords on anything password protected.
Don't open email from people you don't know.
Don't open email from people who do a lot of junk email forwarding with or without attachments.
If your curiosity just gets the best of you and you have to open something that is questionable, at least do it as text only (graphics, links, and attachments disabled).
Use browsers that you can secure with the proper settings and security extensions (example: Aviator and Firefox).
Prevent tracking as much as possible by using the browser or WRSA to clear all browsing history when exiting each site and before going to another. After exiting the browser, I clear all browsing history and temp files again with CCleaner or SlimCleaner.
Backup, Backup, Backup. Perform System backups (at least occasionally), not just files. I perform full image backup on Fridays and incremental every day in between. I store one local and one offline so the bad guys can’t get to it. And always validate your backup. The only thing worse than not backing up is having a backup that is no good.
Most importantly take some of the burden off yourself and use WRSA because it won't forget the things that I have not even mentioned.
Stay safe out there,
Dave
All good advice, Dave, and nicely condensed and appositely weighted. Could not fault you on anything you stated therein.
Less knowledgable users would be well advised to read thoroughly and take heed of the advice provided.
Regards, Baldrick
Less knowledgable users would be well advised to read thoroughly and take heed of the advice provided.
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
1 person likes this
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.