CryptoWall 4.0 now deploying through the Nuke EK

CryptoWall 4.0 has been spotted being distributed not by the classical phishing campaign but by the ever-more prevalent exploit kit.

It's not only CryptoWall that has been updated but also its method of delivery
It's not only CryptoWall that has been updated but also its method of delivery

CryptoWall 4.0, that perpetual thorn of cyber-security, has found yet a new method of deployment. CryptoWall 4.0, the stealthier, bigger and badder version of 3.0, has been found to being spread by the Nuke exploit kit (EK).

Heimdall Security CEO Morten Kjaersgaard confirmed to SCMagazineUK.com that “only today we have had multiple sightings of CryptoWall 4.0 delivery via Nuclear EK from a range of websites". 

The SANS Internet Storm Center first reported it earlier this week when it discovered that an attacker working on domains belonging to a Chinese registrar had been moving the ransomware with the Nuke EK. This is supposedly the first time CryptoWall 4.0 has been spread in this manner.

First found in 2009, the Nuke EK has been a kind of Swiss army knife for the hacker: it can deploy attacks on any number of widely used programmes and applications as well as deploying any kind of malware that its master might decide on. 

It has been implicated in such famed breaches as the AskMen hack and was used in connection with Operation Windigo. One report from Raytheon describes the Nuclear EK as having “a wide range of attacks in its repertoire, including Flash, Silverlight, PDF, and Internet Explorer exploits, and it is capable of dropping any malware. Furthermore, Nuclear Pack is constantly being improved by its creators to avoid detection and achieve higher infection rates.”

EKs are a popular piece of equipment for cyber-criminals, requiring little skill and coming with the ability to launch a wide variety of exploits and malware infections. 

EKs such as Angler have made cyber-security headlines with tales of their success like helping to drive up malvertising campaigns by 325 percent. Essentially, exploit packs like Angler or Nuke can help a relatively amateur cyber-criminal to perform sophisticated attacks without the skill they would otherwise need. 

The use of EKs has risen in conjunction with the rise of cyber-crime as a service (CaaS) where professional hackers remove themselves one step from actual theft and make money easing the process of hacking for other criminals.

Ransomware, like CryptoWall 4.0, typically works by encrypting an unsuspecting user's files after they unwittingly download the malware via a phishing email, and then charging them in bitcoin for their decryption.

In its day, 3.0 had quite a time before being handily undressed recently in the maiden report by the Cyber-Threat Alliance, a group of industry figures who work together to resist problems which affect them collectively. 

That report unveiled some troubling information about 3.0 including the fact this single piece of ransomware may have been conducted by one group responsible for more than £200 million worth of losses for its victims. 

It wasn't long before this malware returned in a new form, stealthier, smarter and just as ready to blackmail its victims and encrypt their files as ever before. 4.0 built upon 3.0 in the fact that it encrypted file names as well as files themselves, so the user could not tell exactly what files had been encrypted and what had not and was even stealthier to anti-virus software.

3.0 and the younger, vivacious 4.0 traditionally spread themselves via phishing emails, a widely used tactic wherein the  attacker will send out emails to thousands upon thousands of potential victims. Those unlucky or gullible enough to open the emails would soon find their files in the clutches of CryptoWall.

Alexandru Catalin Cosoi, chief security strategist at Bitdefender, the company that released a vaccine for CryptoWall 4.0, spoke to SC, saying that this new development was inevitable. “It was a matter of time until social engineering took a backseat to drive-by downloads in compromised websites and online ads,” said Cosoi. “EKs don't require human interaction, have access to an expanded attack surface and often boast sophisticated antivirus evasion techniques.”

The Nuke EK “will help deploy this strain of ransomware at a larger scale. Users are advised to use a security solution that detects and blocks EKs and add an extra layer of protection to their system, such as the CryptoWall 4.0 Vaccine.”