Inside Cryptowall 2.0 Ransomware

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

Re:Cyptowall is very sophisticated

[jiriw]

First, the machine pulling backups has completely different interaction with the 'world' than your average system-to-be-backed-up. I assume you're not reading e-mail, PDFs or surf the web on the system you use for data backup. Also, it should not execute any of the data it's backing up so the actual backup process should not be an attack vector for malicious software.

If you still want more security you could choose for the machine pulling backups to actually have a different hard and/or software platform than the machines it pulls the backups from. For example, you could have windows desktops and shared SMB partitions that contain the stuff to be backed up and a Linux NAS with Samba client doing the backups using a cronjob. Make sure that, if the NAS does have Samba server as well (for network shares) your backups are not available through them because, as we know of Cryptowall, it will also encrypt network data the infected system have write access to.
There is virtually no malicious software that can infect multiple distinctly different hard / software platforms in the same attack. Although in this particular instance (Cryptowall 2) it does make use of two processor architectures, x86 and AMD64 to do its things...

Re:One more reason to get away from Windows

[Opportunist]

Crypto$shit isn't something that can only run on Windows. The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target. For exactly the same reason: It's where the money is. Why bother trying to infect 5% of the computers when you can go and try to infect 90% thereof?

Next, they abuse the flaw in a third party product, something MS cannot even mitigate if they wanted. If you want to be mad at someone, be mad at Adobe, they're the one that produced that abominable turdfest called Flash. You think Flash is any more secure on Linux than it is on Windows? Think again. Why would Adobe put more brainpower behind the security of their A-league product on a minor platform than they do for the main platform?

Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

And yes, I'm aware of the various "hardening" strategies that you can employ to make such an attack harder on Linux. ALL of them work as well on Windows. Ok, maybe not in every version of Windows because MS in their never ending wisdom thought security is for Enterprises only, hence the key security features are not available in their Home editions... but even for the "Homes" there is a way to do it. Very inconvenient and quite tricky to pull off, just like most would be in a Linux environment. Yes, it's possible. No, it ain't something Joe Randomsurfer would or even could do.

So no. This time the "Windows sux" club does not strike. I wish for the best and I hope for less market share for that Moloch too, but this time they are not the ones to blame. If anyone is, try Adobe and them STILL NOT getting a grip on Flash security.

It ain't like this is the first time that turd has been the attack vector, ya know...