Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside Cryptowall 2.0 Ransomware

Posted by Soulskill on from the just-another-crypt-in-the-wall dept.

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

7 of 181 comments (clear)

  1. Cyptowall is very sophisticated by roccomaglio · · Score: 4, Informative

    Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer. Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

    1. Re:Cyptowall is very sophisticated by cdrudge · · Score: 4, Informative

      Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

      That article makes no mention of a compromised flash ad. It actually doesn't mention any type of compromise or flash. Yahoo ads served up an ad that took people to a server that could lead to a compromise. Just visiting a page that had that Yahoo ad didn't compromise your machine.

    2. Re:Cyptowall is very sophisticated by jiriw · · Score: 5, Informative

      First, the machine pulling backups has completely different interaction with the 'world' than your average system-to-be-backed-up. I assume you're not reading e-mail, PDFs or surf the web on the system you use for data backup. Also, it should not execute any of the data it's backing up so the actual backup process should not be an attack vector for malicious software.

      If you still want more security you could choose for the machine pulling backups to actually have a different hard and/or software platform than the machines it pulls the backups from. For example, you could have windows desktops and shared SMB partitions that contain the stuff to be backed up and a Linux NAS with Samba client doing the backups using a cronjob. Make sure that, if the NAS does have Samba server as well (for network shares) your backups are not available through them because, as we know of Cryptowall, it will also encrypt network data the infected system have write access to.
      There is virtually no malicious software that can infect multiple distinctly different hard / software platforms in the same attack. Although in this particular instance (Cryptowall 2) it does make use of two processor architectures, x86 and AMD64 to do its things...

    3. Re:Cyptowall is very sophisticated by drooling-dog · · Score: 4, Informative

      Cyptowall was recently being distributed by yahoo ads via a compromised flash ad

      That's why my hosts file includes these entries (among many others):

      127.0.0.1 count.3721.yahoo.com
      127.0.0.1 yahooads.valuead.com
      127.0.0.1 yahoo.nuggad.net
      127.0.0.1 agyahooag.112.2o7.net
      127.0.0.1 yahoo.ivwbox.de
      127.0.0.1 adserver.yahoo.com
      127.0.0.1 ae.adserver.yahoo.com
      127.0.0.1 au.adserver.yahoo.com
      127.0.0.1 cn2.adserver.yahoo.com
      127.0.0.1 hk.adserver.yahoo.com
      127.0.0.1 in.adserver.yahoo.com
      127.0.0.1 us.adserver.yahoo.com
      127.0.0.1 pn1.adserver.yahoo.com
      127.0.0.1 pn2.adserver.yahoo.com
      127.0.0.1 tw2.adserver.yahoo.com
      127.0.0.1 a.analytics.yahoo.com
      127.0.0.1 y.analytics.yahoo.com
      127.0.0.1 srv1.wa.marketingsolutions.yahoo.com
      127.0.0.1 srv2.wa.marketingsolutions.yahoo.com
      127.0.0.1 srv3.wa.marketingsolutions.yahoo.com
      127.0.0.1 advision.webevents.yahoo.com
      127.0.0.1 ts.richmedia.yahoo.com
      127.0.0.1 adjax.flickr.yahoo.com
      127.0.0.1 nz.adserver.yahoo.com
      127.0.0.1 sg.adserver.yahoo.com
      127.0.0.1 br.adserver.yahoo.com
      127.0.0.1 cmk.tw.yahoo.overture.com
      127.0.0.1 cn.adserver.yahoo.com
      127.0.0.1 tw.adserver.yahoo.com
      127.0.0.1 be.adserver.yahoo.com
      127.0.0.1 dk.adserver.yahoo.com
      127.0.0.1 eu-pn4.adserver.yahoo.com
      127.0.0.1 fr.adserver.yahoo.com
      127.0.0.1 nl.adserver.yahoo.com
      127.0.0.1 se.adserver.yahoo.com
      127.0.0.1 uk.adserver.yahoo.com
      127.0.0.1 de.adserver.yahoo.com
      127.0.0.1 es.adserver.yahoo.com
      127.0.0.1 gr.adserver.yahoo.com
      127.0.0.1 it.adserver.yahoo.com
      127.0.0.1 no.adserver.yahoo.com
      127.0.0.1 s.analytics.yahoo.com
      127.0.0.1 visit.webhosting.yahoo.com #[WebBug]
      127.0.0.1 geo.yahoo.com
      127.0.0.1 cm.tw.overture.com #[cm.tw.g.ysm.yahoo.com]
      127.0.0.1 cm.west.yahoo.overture.com
      127.0.0.1 cmh.tw.yahoo.overture.com
      127.0.0.1 cmx.tw.yahoo.overture.com
      127.0.0.1 ad.antventure.com #[any-world.ngd.ysm.yahoodns.net]
      127.0.0.1 ar.adserver.yahoo.com
      127.0.0.1 ca.adserver.yahoo.com
      127.0.0.1 cookex.amp.yahoo.com
      127.0.0.1 launch.adserver.yahoo.com
      127.0.0.1 mx.adserver.yahoo.com
      127.0.0.1 o.analytics.yahoo.com
      127.0.0.1 z.analytics.yahoo.com

    4. Re:Cyptowall is very sophisticated by Anonymous Coward · · Score: 2, Informative

      I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances.

      There is quite a lively backup appliance market. For example these can do pretty much everything you described.

      [1]: Yes, this kills deduplication... but there are some machines which need to be secured in case the backup appliance gets hacked.

      You are also completely right here, there is a constant battle between security and deduplication.

      Full Disclosure: Posting AC because I am a developer at Unitrends.

  2. Re:One more reason to get away from Windows by Opportunist · · Score: 5, Informative

    Crypto$shit isn't something that can only run on Windows. The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target. For exactly the same reason: It's where the money is. Why bother trying to infect 5% of the computers when you can go and try to infect 90% thereof?

    Next, they abuse the flaw in a third party product, something MS cannot even mitigate if they wanted. If you want to be mad at someone, be mad at Adobe, they're the one that produced that abominable turdfest called Flash. You think Flash is any more secure on Linux than it is on Windows? Think again. Why would Adobe put more brainpower behind the security of their A-league product on a minor platform than they do for the main platform?

    Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

    And yes, I'm aware of the various "hardening" strategies that you can employ to make such an attack harder on Linux. ALL of them work as well on Windows. Ok, maybe not in every version of Windows because MS in their never ending wisdom thought security is for Enterprises only, hence the key security features are not available in their Home editions... but even for the "Homes" there is a way to do it. Very inconvenient and quite tricky to pull off, just like most would be in a Linux environment. Yes, it's possible. No, it ain't something Joe Randomsurfer would or even could do.

    So no. This time the "Windows sux" club does not strike. I wish for the best and I hope for less market share for that Moloch too, but this time they are not the ones to blame. If anyone is, try Adobe and them STILL NOT getting a grip on Flash security.

    It ain't like this is the first time that turd has been the attack vector, ya know...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. single purpose device, key by raymorris · · Score: 4, Informative

    We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.

    Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.