Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside Cryptowall 2.0 Ransomware

Posted by Soulskill on from the just-another-crypt-in-the-wall dept.

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

5 of 181 comments (clear)

  1. Cyptowall is very sophisticated by Anonymous Coward · · Score: 5, Insightful

    The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.) When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive. I aways try to backup from outside of the context of what is being backed up. If it's a VM, I backup from the host, not from inside of the VM I need the data from. If it's a storage end point, I don't back up the files, I snapshot the volumes.

    It isn't always possible to do it that way, but doing it that way has saved my backside more than a few times.

  2. So how are these spread? by gstoddart · · Score: 3, Insightful

    How is this crap spread?

    Can I laugh at the people who have Flash enabled and let arbitrary sites run javascript? Or does this spread through some other vectors I don't know about?

    I suspect the problem is the idiots who write websites, who demand your browser run in the most insecure possible configuration so you can see their ads and other shit they've hidden behind code which needs to run on your browser.

    And I've always said I'm not willing to run my browser wide open just to make web sites work, because these things have been security holes for years.

    Browsers need to be a whole lot less trusting, and not default to just running any old thing which comes along. And certainly stop trusting scripts from 3rd parties and running whatever crap pile of Flash comes along.

    Unfortunately, users are used to seeing pages which give you detailed directions for re-enabling javascript and cookies.

    So to all you web developers out there who have ever written that page ... fuck you, you slimy bastard. It's partly your fault the internet is a shit hole.

    --
    Lost at C:>. Found at C.
  3. Re:Versioning by Pichu0102 · · Score: 3, Insightful

    This works until you realize the ransomware could go into your Crashplan settings and turn off versioning and keeping deleted files.

  4. Re:Cyptowall is very sophisticated by tlhIngan · · Score: 4, Insightful

    I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances. A box that one plops down, configures, installs a client on Windows, OS X, or Linux, and can do the basic range of backups, be it files, or complete bare metal OS images. A file restore would be just accessing the backup client. A complete image restore could even be telling the appliance to map a USB port to a virtual bootable image, boot the machine via the USB port, and let the application code do the rest from there. That way, the machine is never on the network in a vulnerable state.

    Technically, Microsoft created one, then canned it, as usual.

    Windows Home Server contained an EXCELLENT network backup utility - it did image-based backups (but can do file-based restores easily), deduplication, is not accessible via SMB shares, fast, cheap, and a whole lot more. The only downside was it was Windows-only - it could only do NTFS disks because it relies on Volume Shadow Services and on disk-tracking (it finds out what actually changed on disk between runs so it only needs to backup the changed content).

    It was a great backup, restore and upgrade tool - the recovery program was a bootable CD, and the drivers it needs are stored with the backup so all you need is a USB thumbdrive, copy a specific folder off the machine's backup and use it with the boot CD so the boot CD can access hard drives and network.

    And it was automated - every night every machine would get backed up.

    But as is typical for Microsoft, they canned WHS and let the backup program in it die because well, it was too useful.

  5. Re: Versioning by Pichu0102 · · Score: 3, Insightful

    In theory, it could stop the Crashplan service, manually edit your backup set settings to have no versioning, and no deleted file keeping, restart the Crashplan service, and let it run through and prune all the files it thinks it should be pruning, then encrypt your files, let it back them up, and Crashplan dutifully prunes the old versions like the hijacked config file says to.