Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Cryptowall's ransomware's tough layers peeled

Cisco researchers reveal cunning crypto and 64-bit emulation tricks

Cryptowall's 2.0 incarnation is hidden in a tough shell crafted by developers paranoid about the security research community, technical analysis reveals.

The ransomware has matured much since it emerged last year, encrypting victims' files and demanding money for the supply of a decryption key. It's superior design lead to criminals generating an estimated US$1 million profits in six months.

Cisco engineers Andrea Allievi and Earl Carter peeling back the layers of the Cryptowall 2.0 onion found creators had gone to lengths to avoid detection and to ensure successful execution on different platforms.

"Just getting these complex samples to run in a sandbox can be challenging, making analysis more complicated and involved," the pair wrote in a joint analysis.

"The dropper utilises multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes.

"One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper [and] is indeed able to switch the processor execution context from 32 bit to 64 bit."

The code fires command and control signals over Tor in an effort to conceal IP addresses.

It also uses many layers of encryption which, through a downloaded binary, checked for sandboxes at multiple levels of execution in the hope of preventing execution on malware researcher machines.

Execution would also cease if a simple function detected itself in a virtual machine environment. This had the unintended possible upshot of saving virtualised shops from Cryptowall.

A subsequent dropper was generated if no virtual machines were detected.

Infected enterprises might notice a rush of traffic to wtfismyip.com as Cryptowall checks outside the network in the latter stages of infection.

Avoiding bad sites, educating and testing users' ability to detect phishing emails and sites, will do much to reduce the chance of infection.

"Breaking any step in the attack chain will successfully prevent this attack, therefore blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage," the pair of researchers wrote.

Many malware authors had gone to great lengths to avoid the eyes of prying researchers, leading to a cat-and-mouse game of detection and evasion where lessons learnt were built into subsequent iterations of crime ware.

The vxer effort was made as profits tended to dry up once malware was reversed and remedies found.

But not all the effort paid off: FireEye researchers detailed late last year how skilled criminal coders had made epic blunders and committed acts of massive over-engineering in their attempt to weave creative malware. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like