Part 2 - The nuts and bolts of Cryptowall and Chimera ransomware.

Posted by Geraldine Hunt on Wed, Jan 27th, 2016

In Part 1, we looked at some new wrinkles in the ransomware game and then examined the specifics of Ransom32, CryptoLocker, CTB Locker, and TeslaCrypt. In Part 2, we move on to Cryptowall, the most successful ransomware to date, and Chimera, a relative newcomer.

CryptoWall

Let’s first look at CryptoWall Version 3 which was thoroughly studied by the Cyber Threat Alliance, and then discuss the changes since then.  Here are some highlights:

It first surfaced in January 2015, and infects all versions of Windows. North America and Australia experienced the brunt of the attacks.

• One attack group extorted an estimated $325 million in the US alone in 2015.
• A CryptoWall 3.0 attack begins with an exploit kit attack, usually Angler, or phishing emails with .scr or .exe attachments. Angler supports vulnerabilities in HTML, JavaScript, Flash, Silverlight, Java and more. The kit is updated regularly to include new zero-day exploits. Other kits used are Sundown, Magnitude, and Fiesta.
• CryptoWall 3.0 injects its encrypted payload directly into the memory of the victim’s machine. The payload can include banking Trojans, rootkits, and backdoor Trojans as well as ransomware.
• It detects virtual machines and disables security products.
• Backup shadow copies of files are removed on the victim machine and Startup Repair is disabled.
• CryptoWall communicates with its command and control (C2) server. It often uses a compromised WordPress website to proxy requests to a secondary IP address.
• Encryption begins. File attributes and time stamp information is modified for each file that is encrypted.
• The malware removes its own registry keys and uninstalls itself.
• The TOR URL and unique victim URI are used to generate a contact URL.
• The victim sees a website ransom page with instructions, the contact URL, and the BitCoin ransom amount.

CryptoWall Version 4.0 popped up in October 2015. Infection statistics show that Europe, South America, Africa and southern Asia have been hard hit. Both the Nuclear and Angler exploit kits now include CryptoWall, making the attacks easy to launch. In Version 4, the malware alters filenames in addition to file contents. Attacks are even harder to detect, evading many of the newest firewalls. Instead of demanding a ransom, the cybercriminals are trying new angles:

The victims are asked to pay for “security software”. As the victim’s files are being encrypted, the victim receives a notice that antivirus programs are “protecting” their data.
Attackers may threaten to publish user data online if a ransom is not paid.
An especially vicious variant of CryptoWall encrypts files randomly over many weeks. This makes recovery from backups difficult.

Most security experts expect to see acceleration in CryptoWall 4.0 attacks this year. So far, Malwarebytes has reported a new version targeting outdated versions of Flash Player. It is delivered via malicious pop-under ads via the Magnitude exploit kit.

Chimera

Chimera appeared in September 2015, and the German anti-botnet advisory centre Botfrei reported a new strain in November. This variant threatens to publish the victim’s data on the Internet unless a £450 ransom is paid. Spear phishing regarding job applications or offers refers the victim to information on Dropbox, and clicking on the Dropbox link begins the infection. Like CTB Locker, Chimera offers its victims an opportunity to become an “affiliate”, with a 50 percent commission for selling the ransomware as a service. The security community foresees more Chimera infections in future, especially in English-speaking countries.

Protection from ransomware

Some steps to specifically protect yourself from malware are:

• Backup data often. Minimally follow the 3-2-1 rule, maintaining at least three copies in two different formats with one copy stored off-site.
• Some ransomware infects only local drives and mapped network drives, including Dropbox. Company IT services should secure shares by only allowing writable access to the necessary user groups or authenticated users. For Dropbox and Google and iCloud drives, choose to pause synching whenever possible.
• IT services should block TOR since the TOR network and TOR proxy servers are routinely used by most ransomware.
• Make sure to scrub the malware from all devices on your network before recovering from backup.
• Be wary of emails, even if they refer to mutual friends or familiar services; you may be a victim of spear phishing. Do not click on links in emails before verifying that the website is OK, and do not download email attachments without verifying the source.
• Keep software up-to-date. This will not protect against zero-day exploits, but it will patch the more recent vulnerabilities in your software.
• Use multiple antivirus products to increase your chances of nipping an infection in the bud.
• Install advanced email spam filtering.

If you haven't already read Part 1 of this low down on ransomware, you can find it  here.