Exploit Kits and CryptoWall 3.0

Brad Duncan is a Security Analyst at Rackspace, where he investigates suspicious network activity.  Reviewing alerts on web traffic from Rackspace offices world-wide, we occasionally discover domains hosting exploit kits or other malicious files.  Our researchers investigate these leads to gather malware samples, identify threat actors, and determine other indicators of malicious activity.  This blog entry discusses one such recent investigation.

A new version of CryptoWall was reported in January 2015. CryptoWall is now at version 3.0. This new version appeared after approximately 2 months of hiatus during the recent 2014 holiday season [1].

CryptoWall is a form of ransomware. This type of malware encrypts personal files on a computer and demands a ransom payment before the affected user can recover those files. CryptoWall is designed to infect computers using Microsoft Windows.

Previous versions of CryptoWall were spread through malicious emails, and the malware also came from exploit kit traffic generated by compromise websites. Initial analysis of CryptoWall 3.0 indicates the malware’s authors may now focus exploit kits as an attack vector [2]. This matches our observations. So far, we’ve only seen CryptoWall 3.0 only from exploit kit traffic. This includes Magnitude and Fiesta exploit kits.

Below is an example of Fiesta exploit kit traffic on 2015-02-19. It also includes callback activity from the infected host caused by CryptoWall 3.0.

Shown above: Wireshark display of Fiesta EK traffic and CryptoWall 3.0 callback activity.

In the above image, Fiesta exploit kit comes from the myftp.biz domain on 69.64.49.212. Everything else is callback traffic generated by the CryptoWall 3.0 infection. More information on recent Fiesta exploit kit activity can be found at blog.0x3a.com [3].

The CryptoWall sample from this traffic was submitted to Malwr.com. If you’re registered with Malwr.com (very simple to do), you can retrieve a copy of the malware at:

https://malwr.com/analysis/MDkwOTQwMzU4MWQ1NGRhNWFlYzEyZmIyNzBkYzZlZWI/

When first seen, this CryptoWall 3.0 sample had a very low detection rate as seen on VirusTotal.

Shown above: A user’s Windows desktop after an infection by CryptoWall 3.0.

If your Windows computer is infected with CryptoWall 3.0, you’ll find items on your desktop that provide instructions to retrieve your personal files.

Shown above: A user’s Windows desktop after an infection by CryptoWall 3.0.

You’ll have a text file, HTML file, link to a web page for decryption instructions, and PNG image as shown below:

Shown above: PNG image with the decryption instructions.

In order to access instructions to decrypt your files, you’ll have to get past a CAPTCHA screen.

Shown above: CAPTCHA screen before the decrypt service.

After the CAPTCHA screen, you’ll find instructions to decrypt your files. These instructions contain the bitcoin address to send your ransom payment.

Shown above: Decrypt instructions with a bitcoin address for the ransom payment.

The bitcoin address for the ransom payment is: 15WUYqKerTtxi4rUEmnakw5gRMkr3nZCQd

You can find the transaction history on this bitcoin account through websites like blockchain.info or bitref.com. While doing this blog entry, we checked this bitcoin account, and it did not have any transactions.

Shown above: Information on the CryptoWall sample’s bitcoin address.

What should you do if your computer becomes infected with CryptoWall 3.0? On a practical level, you cannot get your data back without paying the ransom. However, security experts disagree on whether or not to pay [4]. You have no guarantee the malware authors will provide the decryption key, and paying the ransom enables the authors to continue their criminal activity.

The best defense is regularly backing up your data to a storage device that does not reside on your computer. If you never backup your data, you might find yourself at the mercy of CryptoWall or other ransomware.

References:

[1] http://blogs.technet.com/b/mmpc/archive/2015/01/13/crowti-update-cryptowall-3-0.aspx

[2] http://blogs.cisco.com/security/talos/cryptowall-3-0

[3] http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an

[4] http://www.npr.org/blogs/alltechconsidered/2014/12/08/366849122/ransomware-when-hackers-lock-your-files-to-pay-or-not-to-pay

Brad Duncan was a Security Researcher at Rackspace specializing in network traffic analysis and intrusion detection. After more than 21 years doing classified intelligence work for the US Air Force, Brad began a new career in cyber security. In 2013, Brad started a blog at www.malware-traffic-analysis.net as a way to share technical information with like-minded security professionals.

10 COMMENTS

    • mbmediadev, thanks for the info. Unfortunately, Chris Jutting and Shizuppy are right. This might get rid of the malware, but it won’t unencrypt any personal information that was caught by this ransomware.

    • Hi, You must remove the virus first. Use Antimalwarebytes. then you could recover ther files using Previous version (Win Vista, 7, 8 or 8.1 only) fyou can use ShadowExplorer in order to find previous version of your files
      Regards

  1. Hi, You must remove the virus first. Use Antimalwarebytes. then you could recover ther files using Previous version (Win Vista, 7, 8 or 8.1 only) fyou can use ShadowExplorer in order to find previous version of your files
    any question. email me to jorgealex0.8@gmail.com
    Regards

  2. I have a client that was infected a week ago. Because he had not
    backed up his company QuickBooks files in 4 months he REALLY needed his
    data back.

    His quickbooks files were damaged.

    In short, he had me buy bitcoins and pay the $700 ransom. I got the decrypt package.

    It does not work.

    DO NOT PAY THIS RANSOME!!!!!! This whole thing is a SHAM!!!!!!

    Even
    though it was not my money, I still feel just really angry and sick
    inside because I know what this guy is going to have to go through to
    recreate invoices for for 4 months worth of work in his service
    business. He doesn’t even know who owes him money now.

    My advice is do not make matters worse by paying these f$%^ing criminals!!!

  3. Same issue had happened last night to my client, all the files and Quickbooks are encrypted and i tried all the options… nothing worked. does any one have genuine solution for this. antimalwarebytes and spyhunters are useless.

  4. I understand that a lot of people wont pay, shouldnt pay etc. But I wish I could find a tool to decrypt once you have paid the ransom. I’m helping a friend who didn’t blink at the 500 if there was a 50% chance. And really the hardest part was getting the bitcoin thing done in time. But the file they give you decrypt.exe is recognized as a virus as well. I did run it on another machine with no issues and it works fine. But I really dont want to run this program. Is there a better option for software that will allow me to point to the key files instead of using their .exe?

LEAVE A REPLY

Please enter your comment!
Please enter your name here