New CryptoWall hunts for victims with Tor

CryptoWall 2.0 is more stealthy and powerful than its predecessor.

New CryptoWall hunts for victims with Tor
New CryptoWall hunts for victims with Tor

Cisco's Talos Security and Intelligence Research Group says that CryptoWall 2.0 is “ransomware on steroids”, using Tor to obfuscate the command and control channel, anti-VM and anti-emulation checks to hide when sandboxed and a 32-bit dropper that can execute 64-bit code.

In a research paper entitled ‘Ransomware  on Steroids: CryptoWall 2.0' that was released on Wednesday, security researcher Andrea Allievi and security research engineer Earl Carter detailed how the latest ransomware continues like its predecessor in encrypting data and making it unusable until retrieved by decryption key, but it differs in that it uses Tor to conceal the perpetrators' IP address as well as a 32-bit malware dropper that can disrupt virtual machine and emulator checks in order to avoid detection when in a sandbox environment. It can also use multiple exploits to gain initial access to a solitary machine or computer network.

"Just getting these complex samples to run in a sandbox can be challenging, making analysis more complicated and involved," the pair wrote in a joint analysis.

In its test sample, the firm found that CryptoWall 2.0 would commonly gain a foothold in an organisation by using malicious email attachments, PDF files, exploit kits or a privilege-escalation vulnerability on Intel x86-based machines (CVE-2013-3660). It would then install Tor on the victim's machine to hide the command and control channel.

This latest version uses many stages of encryption even before the ransomware is activated and features a dropper which, while built for 32-bit computers, comes with a 64-bit DLL (dynamic link library) so that it can also switch and target vulnerable AMD64 Windows systems.

Cisco's researchers, meanwhile, have urged IT security teams to look out for traffic to a small collection of addresses that the ransomware calls out to outside of the network. These websites are: http://wtfismyip.com/text, http://ip-addr.es, http://myexternalip.com/raw, and http://curlmyip.com.

Responding to the news, Keith Jarvis, CTU researcher for Dell SecureWorks and the chief researcher on CryptoWall at the firm, said that the use of Tor and other anonymising services is becoming more common with ransomware.

“CryptoWall 2.0's use of Tor is a larger trend we are seeing across several different families of malware, which are using anonymity networks like Tor and I2P for command and control,” Jarvis told SCMagazineUK.com via email.

“CryptoWall first started experimenting with the Tor network in July 2014 and then started using it regularly in October 2014.”

Mark James, a security specialist with antivirus firm ESET, also said that adding Tor is a ‘natural progression' for ransomware like CryptoWall

“Tor, while quite often used for no more than protecting our identity, will be used by the bad guys to hide their comings and goings,” he told SC.

“We will continue to see this type of malware evolve as long as it continues to make big money, but there really is a relatively easy means to protect against the outcome and that is to backup. Backup hardware and software is relatively cheap compared to the average cost of paying the ransom and the backup is long term. But please understand the difference between replication and backup – a backup is a snapshot in time (of clean data) stored either onsite or offsite as opposed to replicating your data periodically that could possibly just replicate your encrypted files over your good files. Also make sure you have a good updated antivirus.”

Sagie Dulce, security researcher at Imperva, added that the reliance on Tor would also see attackers concentrate less on the command and control infrastructure.

“As time goes by, attackers devote less resources to setup an anonymous C2 infrastructure. The usage of Tor and its hidden services are an example of this. Tor provides attackers with anonymity and agility - no need to pay for or configure cloud servers. Set up is easy and could be done on any PC or Mac.” 

Dr Christopher Richardson, head of the cyber security unit at Bournemouth University, said that even more ransomware variants will come in future.

“This is the thing about ransomware, the actual way the damage is done is very basic, but the way it infects your machine is quite sophisticated," he said in a call with SC.

“I think we're going to see more [ransomware] variants for the very simple reason that since the end of 2013, it has been very highly profitable,” he said citing CryptoLocker, CryptoWall and other new versions. He also believes that there's a ‘correlation' between ransomware and the increasing value of Bitcoin, the digital currency which is often used to pay ransoms.

CryptoWall emerged last year and was reliant on rather basic tactics; it would infect the victim via spam emails, exploit kits hosted through malicious ads or compromised websites, or other malware, and would then lock the computer, encrypt the local files and generate a message saying that the PC had been seized and that files would only be returned (via decryption key) when the ransom had been paid.

Last October, Dell SecureWorks revealed that there were some 830,000 victims worldwide – a 25 percent increase from August alone - with 40,000 in the UK. However, most people in the UK didn't pay the ransom, although the 75 that did managed to generate around £37,000 for the attackers.

Ransoms typically vary between £125 and £1,250 although Dell said at the time that victims who did not pay within four to seven days would be hit by an altogether bigger penalty – one victim had to pay £6,250 for the release of their files.