Tearing Down Cryptowall (Cryptolocker & Ransomware)

In today's blog we show a new approach to stopping ransomware such as Cryptowall, and how it is possible to use analytics to detect the shift in user behavior caused by malware such as Cryptowall and even destructive variants. After recognizing the attack, we stop infected data from replicating to the cloud.

A screencast demo of a new approach to stop Cryptowall infections from infecting cloud services and limit potential damages to your organization (Click the image above to play)

 

Background

One of the most dangerous (and flat out annoying) trends in malware affecting both small and large businesses over the past years has been ransomware such as Cryptowall- currently the most widespread and dangerous variant, and its predecessor, Cryptolocker which was taken down along with the Zeus GameOver botnet in June 2014. 

Why have Cryptowall and other variants been so successful? It takes advantage of the fact that inside organizations perimeters, people need to share and collaborate on files. Organizations that are utilizing cloud services such as Office 365 Google for WorkBox and Dropbox aren't exempt from this either- personal folders and network drives attached to affected endpoints can be encrypted by Cryptowall or other ransomware. 

 

a DIFFERENT approach

In the screen cast above, we demonstrated a different (and very effective) approach to stopping ransomware such as Cryptowall from infecting data in the cloud that we utilize in our own next generation DLP analytics.

  • Detect multiple file edits happening on a user's account in real-time by interfacing with cloud services such as Google for Work, Box, o365 and Dropbox
    • We are detecting documents encrypted by Cryptowall being synced with the cloud 
  • Examine the entropy and file headers of recently edited files
    • A generalized way of detecting whether they have been encrypted, and not specific to a particular malware variant
  • Determine which application is encrypting the clients files
    • In the case below, Google Drive syncing to the cloud
  • Immediately revoke credentials to the Google Drive application, notify the user and security team
    • Disaster averted =)

Why is this so cool?

  1. We're looking at changes to data rather than malware- it will be very hard for future versions of Cryptowall or anything else encrypting files for ransom to be successful
  2. This approach extends to other attacks such as data destruction
  3. In our testing we can detect and block Cryptowall before 15 or more user files have been encrypted and synced (typically less than 1% of overall files)
  4. No endpoint agent required! 
 

Background

Cryptowall and other variants are designed to infect all versions of Windows, and are distributed through typical (but proven effective) channels such as SPAM and email attachments, browser exploit kits and fake updates for applications such as Adobe Reader, Java or Flash. More recently, we have seen downloader software such as Upatre downloading Cryptowall over SSL after initial infection through legitimate cloud hosting providers such as Dropbox; making it increasingly difficult for IPS and web security gateways to stop delivery.

For this blog, we'll examine a Cryptowall 3.0 sample from Feb 2015 and the effects that it has on files and shared drives-- and how we can detect and stop it from being able to infect files in the cloud.

 

The infection

After being executed, Cryptowall silently reaches out to a command and control server and downloads an RSA 2048-bit public key which it then uses to begin encrypting all of the files on local and shared drives that it has access to.

Cryptowall 3.0 infected box reaching out to its command and control servers to download the 2048-bit RSA key

Cryptowall 3.0 infected box reaching out to its command and control servers to download the 2048-bit RSA key

The latest version of Cryptowall (3.0) contains new features, such as multiple exploits included in the dropper, and an Anti-virtual machine check which interestingly enough did not detect VMWare Fusion running Windows 10 preview.


POST BY ALEX WATSON, FOUNDER, CEO 405LABS

Former Senior Director of Security Research at Websense. CTO at BTS. Co-Founder of APX Labs. Over 10 years experience in the US Intelligence Community.