Bad romance: Ransomware, exploit kits in criminal cuddle
Leave the exploiting to the exploit kits, we'll focus on the fleecing
The lowlifes behind the Cryptowall ransomware seem to have decided it's no longer worth developing their own exploit kits. Instead, according to analysis by Cisco, they're relying on other popular exploits to distribute the malware.
The ransomware was considered one of the most effective ransomware offerings that encrypted a victim's data and offered a decryption key only after a ransom, often topping thousands of dollars was paid.
Crytpowall asked victims for US$500 worth of Bitcoins for thier data to be released.
Cisco researchers say writers of CryptoWall 3.0 have jettisoned the need to include its own exploits, with so many popular kits out there.
"The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit's functionality could be used to gain privilege escalation on the system," the TALOS team said in an advisory.
"Breaking any step in the attack chain will successfully prevent this attack.
"Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage."
The Cryptowall writers dumped some of the features introduced into version two and have added functionality including use of the Tor sister I2P network, a function noted last month by independent researchers known as Kafeine and Horge.
Version 2.0, Cisco engineers Andrea Allievi and Earl Carter said last month, sported multiple features to avoid detection by security researchers, some of which were now dropped, and the capability to run 64 bit code from the 32 bit dropper.
New ransomware variants have since emerged to ride the wake of success of Cryptowall and fellow criminal trailblazers. OphionLocker reared its ugly head in December, flipping about over malicious ad networks and using ecliptic curve cryptography to lock down data.
One of the more cunning productions emerged this month in the form of ransomware capable of quietly encrypting and decrypting web databases so that the compromise was not noticed for many months.
The passage of time meant backups would also be encrypted, so that when the decryption key was finally withdrawn, system administrators would have a lot more data to lose if they opted to not pay the ransom and restore from tapes. ®