CryptoWall Ransomware Malware - Introduction

Popular category of malware known as ransomware and Cryptowall is another entry in this category.

The malware displays a message that their files have been encrypted and need to pay the ransom in Bitcoins.

CryptoWall is a file encrypting malware that first version was released around the end of April 2014 and that targets all versions of windows OS.

In October 2014, the malware developers released a new version called CryptoWall 2.0

In First version, malware developers were utilizing other organization's gateways Web-To-TOR, So victim was not able to discover servers that are located on the TOR.

When TOR developers discovered that CryptoWall was using then they blacklisted thegateway.
So in new version, Malware developers appear to have created their own gateway to TOR.

CryptoWall will scan your computer for data files and encrypt them using RSA-2048 encryption so you will not able to open your file.

After infection, it will open a Notepad file that contains instructions on how to access the Decryption Service where you need to pay bitcoin to purchase a decryption program.

CryptoWall is distributed via emails with Zip PDF files And it will install malware files either in the %AppData% or %Temp% folders.

After encryption, it will run the below write command for deleting the SHADOW VOLUMES COPIES,

C:\Windows\Sysnative\vssadmin.exe  Delete Shadows /All /Quiet

SHADOW VOLUMES Copies used to restore your encrypted files.

Mechanism of Cryptowall :

1. CryptoWall begins by collecting details about your computer such as,
  a. Computer Name
  b. Processor Model
for generating an MD5 hash that can identify the infected computer.

2. Start the Event, creates a new instance of explorer.exe and injects itself, malware again creates a new instance of svchost.exe and again injects itself into it. From here encryption takes place.

3. Hash value is sent to the Server which then responds with an encrypted message containing...
   a. TOR Address of website
   b. USER ID for Victim's PC
   c. Public Key used to encrypt the files using RSA-2048
   d. COUNTRY CODE (Determined by Victim IP Address)

4. All Communication with the Server is encrypted using RC4.

5. To search for files, CryptoWall scans the system for all mounted drives using GetLogicalDriveStringsW

6. After encryption, Cryptowall will add the full path to the file as a value under the HKEY_CURRENT_USER\Software\<random>\CRYPTLIST Registry key.
7. Cryptowall will create two more file  DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML that was created on victim Desktop.

For find the files that have been encrypted by CryptoWall check the Windows Registry. The location of the key is in the below format :

HKCU\Software\<unique computer id>\<random id>

This is the introduction thread for Cryptowall Malware. In my next thread, we will discuss How to prevent your computer becoming infected by CryptoWall by using Software Restriction Policies.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Hackarde's Search Engine- Search Hacking Tutorial,Tool and eBook

HACKARDE © 2011 | Designed by HrDe