Popular category of malware known as ransomware and
Cryptowall is another entry in this category.
The malware displays a message that their files have been encrypted
and need to pay the ransom in Bitcoins.
CryptoWall is a file encrypting malware that first version was
released around the end of April 2014 and that targets all versions of windows
OS.
In October 2014, the malware developers released a new
version called CryptoWall 2.0
In First version, malware developers were utilizing other
organization's gateways Web-To-TOR, So victim was not able to discover servers
that are located on the TOR.
When TOR developers discovered that CryptoWall was using then
they blacklisted thegateway.
So in new version, Malware developers appear to have created
their own gateway to TOR.
CryptoWall will scan your computer for data files and
encrypt them using RSA-2048 encryption so you will not able to open your file.
After infection, it will open a Notepad file that contains
instructions on how to access the Decryption Service where you need to pay
bitcoin to purchase a decryption program.
CryptoWall is distributed via emails with Zip PDF files And
it will install malware files either in the %AppData% or %Temp%
folders.
After encryption, it will run the below write command for
deleting the SHADOW VOLUMES COPIES,
C:\Windows\Sysnative\vssadmin.exe
Delete Shadows /All /Quiet
SHADOW VOLUMES
Copies used to restore your encrypted files.
Mechanism
of Cryptowall :
1. CryptoWall begins by collecting details about your
computer such as,
a. Computer Name
b. Processor Model
for generating an MD5 hash that can identify the infected
computer.
2. Start the Event, creates a new instance of explorer.exe
and injects itself, malware again creates a new instance of svchost.exe and
again injects itself into it. From here encryption takes place.
3. Hash value is sent to the Server which then responds with
an encrypted message containing...
a. TOR Address of
website
b. USER ID for
Victim's PC
c. Public Key used
to encrypt the files using RSA-2048
d. COUNTRY CODE
(Determined by Victim IP Address)
4. All Communication with the Server is encrypted using RC4.
5. To search for files, CryptoWall scans the system for all
mounted drives using GetLogicalDriveStringsW
6. After encryption, Cryptowall will add the full path to
the file as a value under the HKEY_CURRENT_USER\Software\<random>\CRYPTLIST
Registry key.
7. Cryptowall will create two more file DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML that was
created on victim Desktop.
For find the files that have been encrypted by CryptoWall
check the Windows Registry. The location of the key is in the below format :
HKCU\Software\<unique
computer id>\<random id>
This is the introduction thread for Cryptowall Malware. In
my next thread, we will discuss How to prevent your computer becoming infected
by CryptoWall by using Software Restriction Policies.
