A new version of the Cryptowall ransomware may be about to hit businesses and consumers, with suspicion that the first version was just a test.
According to research by F-Secure, the first samples of ransomware calling itself “CryptoWall 2.0” were spotted in the wild. It said that CryptoWall 2.0 appears to use a new packer/obfuscator with an increased amount of anti-debugging and anti-static analysis tricks. However upon infection, CryptoWall 2.0’s payload is almost identical to the samples seen in the original version earlier this summer.
Sean Sullivan, security advisor at F-Secure, told IT Security Guru that the different packer/obfuscator on the shell is the same, but the outside is different, meaning that static detection will not detect it and a modern anti-virus that runs an emulated sandbox will detect it.
“For most organisations, that repacking and obfuscation will be a problem,” he said. “The unique obfuscation would be spotted by our product and not let it run, but businesses do not like a cloud query and it is usually locked down by firewalls. Businesses don’t use the modern features and are not protected; consumers would be if they have the latest and greatest technology.”
Asked if those who were protected against the first version would be protected here, Sullivan said they would from the core if their anti-virus runs a sandbox, as the behavioural engine would be able to detect it.
“One layer should be able to detect it, but it depends on how good the anti-virus is at looking at the individual layers,” he said. “A lot of businesses rely on the static signature layer, which is not really good enough.”
Troy Gill, manager of security research at Appriver, said that it had seen the recent push of Cryptowall and since the 1st October, it had quarantined just over five hundred thousand of these messages, which is obviously only a small portion of the actual traffic from this group.
He said: “Since businesses rely heavily upon signature-based malware detection, unfortunately it is still possible for those protections to be evaded. In this case the original email contains a smaller ‘dropper’ type program.
“Once the dropper has gained a foothold on the victim’s machine it will reach out to download additional malware. Cyber criminals are constantly repackaging their software in an attempt to evade anti-virus systems. So while the initial infection vector can change, the payload can remain the same.”
Asked if he felt that this would resurrect the trend of ransomware after a “strong” trend in early 2014, Sullivan said he felt it could as CryptoLocker’s distribution was cut off due to the GameOver Zeus takedown, and that suspended things.
“We are seeing a trend, as banks as protecting against man-in-the-middle attacks and the trend is moving from banking transactions being secure from client to server,” he said.
“The bad transactions are also blocked, so ransomware is an option as CryptoLocker did a job in the English language and it is a learning curve and once they manage that, they are off to the races as the money is on the table. The bots have been converted and it is the most effective way of monetising those bots that belong to consumers and small businesses.”
Gill said: “Ransomware, like Cryptowall, never really went away but there was a period of relative calm over the summer months. This ebb and flow of malicious activity is the norm in the malware underworld.
“Just like legitimate developers, malware authors need to take time to go through development phases as well. This new brand of aggressive style ransomware has proven quite effective, so it is not going anywhere any time soon.”
He recommended having solid security measures in place to protect against this infection and also maintain a backup system that can mitigate any damage caused by this malware(this goes for everyone and not just the enterprise).
TK Keanini, CTO of Lancope, said that regardless of the version, one thing that is true is that a proper backup of the file system on a regular basis is the best countermeasure. “These attackers are banking on the fact that no one practices good backup procedures,” he said.