Inside Cryptowall 2.0 Ransomware

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

Cyptowall is very sophisticated

The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.) When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive. I aways try to backup from outside of the context of what is being backed up. If it's a VM, I backup from the host, not from inside of the VM I need the data from. If it's a storage end point, I don't back up the files, I snapshot the volumes.

It isn't always possible to do it that way, but doing it that way has saved my backside more than a few times.