Towerwall Security/Malware Alert Vol 13.72

Back to Top
leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

3 Minute 56 Second Read

July 22, 2014

When an international law enforcement action earlier this month knocked out theGameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work.
Well, any celebration over CryptoLocker’s demise is certainly premature – encrypting ransomware is alive and well.
With many victims paying up, ransomware is a lucrative business for the crooks, and CryptoLocker has inspired copycats who want in on the loot.

Cryptowall and Cryptodefense

New variants of file-encrypting ransomware called Cryptowall and Cryptodefense have been popping up since at least April 2014.
SophosLabs threat researcher Anand Ajjan says Cryptowall has the same code as Cryptodefense, and only differs in the name.
If you see a message like the one below, you’re in trouble – many, if not most, of the data files on your hard drive or any connected drives will be scrambled, and it’s simply not practicable to crack the encryption used by the crooks.
(You don’t have to pay, of course. Despite losing data, police in the New Hampshire town of Durham showed a bit of public resistance to the crooks, announcing that they were “definitely not paying any ransom.”)
The message gives instructions on how to use the Tor anonymizing proxy to access a website where you can pay to unlock your files:

If you do go to the payment website, you come to a screen that shows a clock counting down the time you have left to pay the ransom.
Leave it too long and the price to decrypt your files doubles:
In broken but intelligible English, the website tells you:
We are present a special software – CryptoWall Decrypter – which is allow to decypt and return control to all your encrypted files.
This website (blocked by Towerwall) includes links to payment options, and offers you the chance to “Decrypt 1 file for FREE”:
Unlike the crooks SophosLabs found who are trying to copy CryptoLocker but without actually encrypting your files, Cryptowall’s encryption can’t be reversed without the key.
That means if your files get locked, you either have to pay up, or “do a Durham,” and kiss your files goodbye.
According to SophosLabs, a common way of spreading Cryptowall infections is through exploit kits called RIG (also known as “Goon”) and Angler.
Exploit kits are web pages containing pre-packaged exploits that can be used to deliver malware of your choice to unsuspecting victims.
Often, one group of cybercrooks will simply “rent” exploit kit services from other cybercrooks on a pay-per-install basis.
So, whereas some ransomware attacks use social engineering in spam to trick you into downloading the malware, Cryptowall can get onto your computer just by visiting a website that is rigged up with an exploit kit.
Sophos Anti-Virus (in endpoint and gateway products) detects and blocks the various components of this threat with the following names:
  • HPmal/Ransom-I: the Cryptowall/Cryptodefense malware itself.
  • Troj/ExpJS-KX: web pages containing the RIG exploit kit.
  • Mal/Generic-S and Mal/ExpJava-AF: other exploit kit pages associated with this threat.

What’s next for ransomware?

Cybercrooks are trying out new variations on the ransomware theme, including moving from Windows to mobile devices.
File-encrypting Android malware called Simplelocker encrypts files and demands a ransom, while police locker malware called Koler threatens victims with arrest if they don’t pay up.

The trend has spread to Apple devices too.
Some hackers calling themselves Oleg Plissused stolen Apple IDs to lock iPhones, iPads and Macs using the Find My iDevice feature, with a lock screen message demanding payment to restore access to your device.
Russian police arrested a pair of hackers from Moscow who pulled this trick on Russian victims, but it’s worth assuming that others may try this scam again in the future.
There’s a loophole in this iDevice ransom attack to get around paying (if you lock your device with a passcode, you can just enter it to unlock it) – but it might not be too long before the crooks figure out other methods.

How to stay safe from ransomware

In the cat-and-mouse game between hacker gangs and law enforcement agencies, the crooks are often tricky to bring to justice.
As part of the recent CryptoLocker takedown, for example, US law enforcement formally charged a Russian man called Evgeniy Mikhailovich Bogachev with fraud and racketeering offences, but so far he remains at large.

The FBI notes rather wryly in its Cyber’s Most Wanted pages “Bogachev was last known to reside in Anapa, Russia. He is known to enjoy boating and may travel to locations along the Black Sea in his boat. He also owns property in Krasnodar, Russia.”
Nevertheless, the security industry is doing its part, and you can too.

Related Insights

View All Insights