This article is more than 1 year old
Cryptowall's ransomware's tough layers peeled
Cisco researchers reveal cunning crypto and 64-bit emulation tricks
Cryptowall's 2.0 incarnation is hidden in a tough shell crafted by developers paranoid about the security research community, technical analysis reveals.
The ransomware has matured much since it emerged last year, encrypting victims' files and demanding money for the supply of a decryption key. It's superior design lead to criminals generating an estimated US$1 million profits in six months.
Cisco engineers Andrea Allievi and Earl Carter peeling back the layers of the Cryptowall 2.0 onion found creators had gone to lengths to avoid detection and to ensure successful execution on different platforms.
"Just getting these complex samples to run in a sandbox can be challenging, making analysis more complicated and involved," the pair wrote in a joint analysis.
"The dropper utilises multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes.
"One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper [and] is indeed able to switch the processor execution context from 32 bit to 64 bit."
The code fires command and control signals over Tor in an effort to conceal IP addresses.
It also uses many layers of encryption which, through a downloaded binary, checked for sandboxes at multiple levels of execution in the hope of preventing execution on malware researcher machines.
Execution would also cease if a simple function detected itself in a virtual machine environment. This had the unintended possible upshot of saving virtualised shops from Cryptowall.
A subsequent dropper was generated if no virtual machines were detected.
Infected enterprises might notice a rush of traffic to wtfismyip.com as Cryptowall checks outside the network in the latter stages of infection.
Avoiding bad sites, educating and testing users' ability to detect phishing emails and sites, will do much to reduce the chance of infection.
"Breaking any step in the attack chain will successfully prevent this attack, therefore blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage," the pair of researchers wrote.
Many malware authors had gone to great lengths to avoid the eyes of prying researchers, leading to a cat-and-mouse game of detection and evasion where lessons learnt were built into subsequent iterations of crime ware.
The vxer effort was made as profits tended to dry up once malware was reversed and remedies found.
But not all the effort paid off: FireEye researchers detailed late last year how skilled criminal coders had made epic blunders and committed acts of massive over-engineering in their attempt to weave creative malware. ®