Skip Navigation
BlackBerry ThreatVector Blog

Tearing Down CryptoWall

/ 11.04.14 / Brian Wallace

There are not many things that can ruin a day as much as an attacker holding your files for ransom.  There are feelings of violation, as they have clearly tampered with your private data, a pit in your stomach when you see how much it will cost to get your files back, and overwhelming guilt as you weigh the pros and cons of actually paying these low-life criminals.  Many have been feeling these emotions lately as CryptoWall has been on the rise, most recently with the campaign infecting users via malvertising on sites such as Yahoo and AOL.

 

CryptoWall, the successor to CryptoDefense, is a particularly effective piece of ransomware which encrypts a user's files then demands a Bitcoin ransom be paid in order to decrypt the files.  The current campaign of CryptoWall infections is using malvertising as an infection vector, but in the past, various forms of email spam have been used.  Let's walk through an attack we saw back in early June.

The Attack

Early one Monday morning in June, a few of us here at Cylance received an email. :

Phishing email contents

This email explained an erroneous transfer from a bank for just over $6,000.  Attached to the email was a zip, presumably with more details about the transfer, but actually containing a SCR file (screensaver).  I read this email just after waking up, with crust still on my eyes, and knew it was going to be an interesting day.

By the time I got into the office, there was already an email thread about how quite a few people got this email.  It was noticed that none of the engines on public and private malware feeds were detecting it, and that we were not the first to see this spam campaign.  Even just the method by which we received the sample indicates it's malware, so if it's malware, shouldn't AV detect it?

It takes just under six hours for major AV engines to start catching onto this threat after the first submission to the public and private malware feeds.  Granted, this is expected as the sample is not something they have seen before and does not match any of their signatures.  It will take time for researchers to pick apart this file, determine it is malware, then to create a signature that will catch it without falsely detecting non-malicious files.  Not to mention, an update for this would also need to be pushed for non-cloud based solutions.  This is quite a bit to ask of a research team to pull off before an infection can spread.

The Difference

While I was dreaming away, imagining myself battling through the world of Hyrule, Infinity already knew this file was a threat.  Actually, the Infinity Local model generated on April 30th determined this file was malware, as well as similar files.

CylanceV detecting samples

Analysis

The sample we received in the email was d00b92837467c301f5359943d955dc7a4d59f0136b4e90715d5d97ee0a9617d3 as an SCR file.  Screensaver files execute as executables, but are often used when attempting to trick users into running malware.  This sample in particular is a downloader setup to download a copy of CryptoWall, a family of ransomware.

When executed, it would run Upatre, a dropper, which downloads encrypted files from remote HTTP servers.  This can make it difficult to detect the network traffic.

CryptoWall

CryptoWall is a second generation ransomware (CryptoDefense is its predecessor) which utilizes Tor and RSA 2048.  Let's run through an infection real quick.

When we look at the sample we can see it is using either the VirtualBox icon, or one similar to it.

CryptoWall sample using VirtualBox icon

After double clicking on it, it runs quietly for a moment.  After that moment, it will start to use 100% of the processor, and turn off the Windows Security Center.

CryptoWall disabling Windows Security Center

Shortly after this, it will delete itself from its original location and we will see an increase in HTTP traffic as it calls home.  Before the self deletion, it will inject itself into another running process.  This is considered a malicious behavior in CylancePROTECT's MemDef, so even if the file itself was not detected as a threat, this behavior will be blocked, stopping the encryption of files.

CylancePROTECT MemDef here to save the day!

At this point, the user's files are being encrypted if they are not running CylancePROTECT.  Once it has finished that, it will pop up 3 windows to the user.  Two of them are informing the user that their files have been encrypted, going into detail about how the files can be recovered.  It is done in two windows as one is a text file and the other is the HTML representation of the same information.

CryptoWall informing the user of its maldeeds

The third window that pops up is a web browser window open to a Tor hidden service hosting the decryption/extortion service.  It requires you submit a CAPTCHA before proceeding to recover your files.

CryptoWall hindering researchers with CAPTCHA

Instructions to purchase your decryptor (its not worth it)

The attackers are requesting $500 worth of Bitcoins in order to recover our fictional victim's 22 files.  Now, unless you are willing to pay $500 for any number of your files, I highly suggest you start using a means to back up your files.  Most cloud storage services, such as Google Drive, allow for recovery of previous versions of files.  This means that even if attackers delete/encrypt your files, you can recover them.  Do not let yourself fall victim to an extortion scheme that can be thwarted with minimal effort.

Bitcoin

We can gather quite a lot of information from a Bitcoin (BTC) address.  Essentially, BTC has created this large scale, peer driven economy, which requires public confirmation of transactions.  While it does have some inherent anonymity, it also makes quite a bit more information public.  For instance, if we wanted to get an idea of how many people have decided to bite the bullet and pay off this extortionist, we would only need to watch the BTC network for transfers to this address of around 0.79 BTC and 1.59 BTC (for the $1000 upswing).

Multiple individuals being extorted into paying out

Four infected users paying for access to their encrypted files

There are some fundamental differences between traditional currency and BTC which can make things a bit difficult to track where BTC are going.  The first being that BTC are not single entities, but instead transactions are done in fractions of BTC.  The other being that BTC wallets/addresses are trivial to generate.  This means someone could create a large number of BTC wallets in order to move their money around.  A large amount of BTC could be hidden in a large number of wallets.  There are also services which pool BTC into a collection of wallets with other users' BTC in order to launder BTC.  Given all these potential complexities, we will likely need to treat the BTC network as a graph.

In the campaign from the attack mentioned above, I was able to gather 4 BTC addresses by guessing user keys on the ransom site.  They are displayed below along with how many BTC they received from extortion.

 1L7SLmazbbcy614zsDSLwz4bxz1nnJvDeV - 100.66596583 BTC 19yqWit95eFGmUTYDLr3memcDoJiYgUppc - 67.99258172 BTC 16N3jvnF7UhRh74TMmtwxpLX6zPQKPbEbh - 29.37682569 BTC 1ApF4XayPo7Mtpe326o3xMnSgrkZo7TCWD - 99.1159107 BTC 

With a total of 297.15128394 BTC, this campaign appears to have made quite a bit of money already (at current conversion rate $105,549.78).

If we treat BTC transfers as we would treat generations on a family tree, we can start to get some more information from these BTC addresses.  With some thanks to BlockChain.info, Gephi and a Python script I put together, we can visualize this data.  Let's first map out all the second generation BTC addresses (addresses that received BTC from the known ransom wallets).

First and second generation BTC wallets from June CryptoWall campaign.  First generation in blue, second generation in red.

First and second generation BTC wallets from June CryptoWall campaign.  First generation in blue, second generation in red.

If we look at some of the second generation BTC wallets that have more than one of the ransom wallets sending it BTC, and then look at any other wallets sending them BTC, we can identify more potential ransom wallets.  From the family tree perspective, these wallets would be siblings.  Additional checks to confirm they are more likely related to CryptoWall is to check for ransom like payments (similar costs, payments from multiple addresses for similar amounts).

 1JTEjiizLihT6GbvoW52Abmg6rV1KyD3fw - 67.07551282 BTC 13BeAzA4mhwDYJEwhqNd2LsUnuhuVqKvw8 - 39.08133736 BTC 1DSHfFTxJYpwTakXhKogJ5jdXPCQpXLTn1 - 2.72 BTC 1PHanqbJCsoyGMMLqvvznHwp9wh1zygkxp - 46.49512362 BTC 1DMgHqg4d6LXmEvohtYANpv2yMKQteKahn - 59.36315446 BTC 1CeA899xpo3Fe6DQwZwEkd6vQfRHoLuCJD - 112.17284189 BTC 1PnPJfx4ct8YHRnTnx1VrSnrZeQik86BXa - 59.56403407 BTC 185dzdGaxhFhwTdphAWEe4CjjXnutzKYYm - 64.25211267 BTC 1LPAUi1LWzCsRLkGFWFdN5sENs1LufBfNp - 45.32544979 BTC 1bTuCtgEtouAC7mrCrY6zzWCphSDLvxAo - 10.0495 BTC 19Dbxn926nCNqimjzfcjvJv4EKno6LBYv6 - 11.12 BTC 18e6Wtkvpf4L9RHwzbgvR9QTUVm1yBybwu - 26.13910156 BTC 1HYDwtwtotSedCDCHDcgbRks2a7yPcicwd - 96.85726223 BTC 1M8oK3D2G8ipTy7sCxiatrHC35CpAgmrrw - 99.81357946 BTC 13Kqgurx7eQg3G29NwV7ouJ8UHJRSUwwAe - 86.40750979 BTC 14bD9RgtJeKxdJMm5SRbmzFcsk8azTheR9 - 12.9409 BTC 1FUEYosFFP9X93yrPzeW5YQpbtpg8eq5Gd - 2.46 BTC 1Pa7ZkA9JHzwp8FazU4YBVSiYFPP3majgA - 31.83847394 BTC 13MBSSp3kciFsLgRkFe1nyB6v9rM2fZZ7L - 5.2 BTC 1DzV31VpoKgGBCCYPQafAjUjQAMdUHRGQv - 70.96645713 BTC 1Fp1cVAZ1Ne21ta6UvFiSgvPTjTqHt3TNY - 5.3012 BTC 1McQPMgvRfatXFVPvWEB1byxzgV2d6FPTq - 9.38393985 BTC 

With these sibling wallets totaling 964.52749064 BTC ($341,621.57) to puts this campaign closer to 1261.67877 BTC ($446,868.22).

With the current campaign, I was only able to obtain one BTC address from the ransom site as they increased the obscurity used to hide the number of victims.  It also appears that they have attempted to reuse BTC wallets less.

 128pJdREzcR6xorYPQAPzGf8RwMQjRBzDt - 1.33 BTC 

With this address, I was able to identify two second generation BTC addresses which could be used to identify more wallets.  This resulted quite a few addresses, as can be seen below.

Sibling analysis graph with 4 generations, blue wallets are the first generation wallets (including siblings).

Sibling analysis graph with 4 generations, blue wallets are the first generation wallets (including siblings).

 1AkNkGDVk4N9cvrQrUXzZGVeX3fi1GDAnn - 1.33 BTC 186Qu4CHMMEMcRFhxvujCvAKD3vx6ziUZi - 2.7818 BTC 1DPMLWTaeGJK49fifnXxHdhH3ZysD7NEQJ - 4.15 BTC 1MViQ9sSrDi1REwbzttPjz8UwDwWRcrBa5 - 1.33 BTC 16V3i18DPUtJG5Kp5GHjCDjaUG4qjByqeD - 4.14 BTC 1hBGyAMPci57kjMRuHtTiiEiyMPPbkNog - 2.66 BTC 1Dip1BUWcLFbpa4v6UVM7stfiq9GrTztor - 2.69007998 BTC 1ELAQv2DQqApozVVzP4UhpNgAKFFRBAXLP - 2.66 BTC 1NZBme7eTYYd27bJaCarLkcjWUJSb6Uhoz - 1.33 BTC 1BaVeW1MDm5Z7krsNYRocGPqoPtvVgeFcC - 1.33 BTC 1Q1BhkHTyZBSJYs4jU5BEL5mKqzmxKqdUb - 1.33 BTC 15VdJ1x7mrvydpverBoM52uK32zthEgx3W - 1.33 BTC 1TifpG8S3LJTGDU9C5k9GbuYXza3DQohf - 1.33 BTC 1BRaWwcyNVx1Mzs36Xthu85xdo8DZwbWrd - 1.33 BTC 17QqTQk1GKMU2CuDHYBjvcCKcFzWTsvLzD - 5.22576667 BTC 14obpFxKhyj1XtRSJvyQ59x4JRwqvqCrJR - 2.68 BTC 1LNfzXzGuXiZK5iZb3Qvn22QfLBHgEfikN - 1.33 BTC 1B8mUXmLedyP13FcdTxtQCNwWjsYGt1uJX - 1.33 BTC 12oTuPZVabXXdyHAC7XG3vtgz61vtykaPB - 4.10387652 BTC 1BZMBivN1AL9DWQCdEnmviSKiMpnicTTBK - 2.66 BTC 1MbTd6iEqyrCAKZGvwR2QkAPMKXZ3727Hv - 2.7970395 BTC 15uMyfPokMN1BQUjvdPAcP5afCv5zGBfGv - 1.33 BTC 1Fn58MQNj23k2NUcZydCfhNUwzjbmGnK9a - 5.56 BTC 1BiVJbHQnAv7gnK6jjgx5inscEGYinzdRD - 1.33 BTC 1GqE8msa63edwhF96EszPozVGR9fuwPGDb - 1.33 BTC 1255ZtL5HXVNugwsxUvbSJSLUe2JDWLVmA - 1.33 BTC 1LsxkDcoK9MdD59o5rMw1dgDpGN8QoNbPp - 1.33 BTC 17Akvqrmria6v1gBPse3N1cNKKS8hHNm92 - 1.33 BTC 17okEyiGjTiqRkmxoFQRJt98BdYcXF1JeA - 2.74 BTC 19tH6f9UeLR64GfqcxwDUrGQVXXA7bg7LY - 2.75 BTC 12WW3RcXZ8rvGc9EyhZAgRcVQEUZBYR8o6 - 2.66 BTC 1HkzycvwurGTfYe99qYq55uN9HzocMYysg - 1.38205539 BTC 15MSrtpUkb9jBrr22ZXetrgDiynvLeHNDh - 1.33 BTC 1GEoemCD9LURzv4fqiARDiCuwb2n3sYjYP - 4.22811022 BTC 1MKwudaRV65RKNANrUS7mXTtMA5ndVTzHB - 1.33 BTC 12uVUzTrvUr8ACfSt57UstYU1E1edeEfnM - 2.77131309 BTC 1KF5VSK9PB1tcS5aH6TcwnvgL2C9nbYmNS - 2.659 BTC 1EiGZ5gBCYpJDPzcqyFois3gPNSXKT7jrt - 2.657 BTC 1P9dhkjAU4jPcW8iE5Uq3kj2W2A6oQc6mK - 1.3299 BTC 19JzWgQB4skxzH5ytvkJZbVMuLuwxoqjZy - 4.0 BTC 1JdYxTXNKxmYMWfDsW5mfAAV492AgHL1vY - 3.9401213 BTC 1Fgs8SMZV19eMta7pyZWiPH3Xkru9EZQeD - 4.8327 BTC 1DxR7rfGBto8przrBjhcrxfHpAr9c9uoYn - 8.06 BTC 1EniVnm2sh6EPe8TwyKT5KfBEkBK5g5Jgk - 5.3344251 BTC 1esih63MxWnwq4PLssmd6339fvfHdR8ww - 7.990826 BTC 1H3qbVbbm9JbwccofgGePhBCHaUXuVbkES - 4.01 BTC 1HzLH5UEo1rUdEA8g8afz6tR4EXfkCLnZr - 5.38 BTC 1D5FAyoTKhYbEPbiuSUSesg7hyVHB2uEJE - 5.42131588 BTC 1PvSDtss2WVhCykJJo5CkQZS6SVdpAM1U6 - 6.68 BTC 1JtwRHdDt2TXV1ixkcsJhkK5jd5W7nrRGe - 6.66889255 BTC 1L4GWsdFaKWEEk8Y1kC2nLGReZrqq9VL4Z - 6.58886523 BTC 1DVtLHgEtyLvECoLyioApckNrVrtnvcoMH - 6.63389119 BTC 1H7AWaRpq7TqzvY8ZNnY6Kc754sDy99KHr - 3.96163444 BTC 1JfC2gFma5sAwAJb5vPqd2yuYnvStLdw4U - 3.99 BTC 1ET6Ww6ZMyjduWYpKxefb5J52tPnxX8hBw - 5.408 BTC 17ddD4YpRYz1sF6b4PJTp5tZrmCBWdn9wH - 4.01285519 BTC 13t2DQuBFdiFRBH8rLA1tR1kUTfmjDQeSq - 9.3281922 BTC 1BST18ERfbd1fEbKuAyxt7or9RnocLA8ZN - 5.32662234 BTC 1KQzPxuuBx7YMAjMSWVn9zA5xEE4Leswyt - 8.05 BTC 1Gt8D8LL7orCkA7wV3KCgy8RZk7fwGJXqh - 6.8967 BTC 1KwsdZqtPzJFnAKzNrJF5hJQwB1xmt3WmD - 9.42282357 BTC 1LQXVRTN3CYfgQuyq9pLYL5jxGdrtaf2Kn - 8.06 BTC 1Pvfbp9RLyXgzcKz39AMAxamDTs36E9Xyp - 12.28677696 BTC 1757vJTmTfrTM6PUqN47STGugtDoqJxuNU - 6.75 BTC 19VmUZsg9iDgHc1MTPXhuPki3rsaq9yuys - 14.86719338 BTC 1KjttixbZBTDLhc4vTtCVYQUV4A1QXV3CE - 2.66 BTC 142abHo5n5HLzXna2w1b5MhNaManz2huJg - 5.49 BTC 18cKEYDd7sPboo4pfsDeDo7oUfF6CCVWoQ - 4.05 BTC 1McQPMgvRfatXFVPvWEB1byxzgV2d6FPTq - 9.38393985 BTC 1EeFT9NPG77XVEyRP68EkxhP7TzbVcBoJT - 9.175 BTC 1HpTyt4qXo53YJx5TCqV62Goe22TneFPNf - 10.48633672 BTC 133iB9RkbJbRPHqS2z4xa12XddEovod3sS - 10.60004689 BTC 144Fvd1mJxD51hKsRZFjB6yxyw2J32hmKT - 14.58590348 BTC 1Ax3LtWE9G53GTa2HWuga4JUrd2QCUx5pj - 14.92543359 BTC 162Cc4ad5C23RwYBytFyi2NxKGDoncasV8 - 11.97865224 BTC 1GCs9dgmutp2gNGNDCcmVp9NZ83VMNYpje - 7.87208905 BTC 156ZRB1QWJpuGA9da3uHWAkvZM5irRHonR - 2.6 BTC 1AEAhaGNMRnoTSeLE8GH9yybK2RuWXHCvM - 3.87328296 BTC 1PNt4XscuP3HrwVHwuN5VheecgX21nTuVs - 9.15653123 BTC 1DLE9cULDPBVAtUhkpuRbi9MVfw9T14e7 - 14.7 BTC 196fcXLHUG8tfSN5Wqhf6Xu4LNQikzuXoy - 5.17409 BTC 1Gq6Cc4n13Zc2JCfHgzbeHnytMV2MhiZgc - 9.26647046 BTC 1AgmTcktxt44KemAfrLBNEerGQQrWUbJZw - 9.2229941 BTC 1JPutxXJxopCF1qyZEbM98UkkrxdYDPzDo - 8.10997938 BTC 

From these results, we can see 427.768527 BTC ($152,356.44) being paid out in ransom in a short period of time.  It is likely with more in depth sibling analysis, more wallets could be identified.  I should note that these results are from an ongoing campaign, and will likely rise.

Current Campaign Sample

With the current campaign, we have observed the following sample dropped after infecting browsers through malicious advertisements.

 4cf1d2f01e4206afbb7abcfb48953e59f0869f020d5fb4946abef31fadefdbc9 

Like with the previous campaign, the initial detections from the industry are weak, although they show improvement.

Yet, our detections are solid across the board, giving full confidence that this sample is a threat.

CylanceV making short work of CryptoWall

With a model built in August of 2014, we were and still are detecting this sample as a threat.  I should note that this sample was compiled on October 16, 2014, so yet again we are detecting threats before they are even compiled.  Not to mention we also block the process injection behavior that this sample relies on to encrypt files, giving you another layer of protection.

Conclusion

CryptoWall and other families of ransomware have been effective and will continue to be inthe future.  They are a powerful tool to generate income for attackers, and they target all end users.  If you are unable to protect yourself with advanced threat detection services like CylancePROTECT, it is suggested you regularly back up important documents to secure locations that keep historical versions of your documents.  If you are able to protect yourself with CylancePROTECT, then you can rest easily.

Samples

 3ebc91c46adc09f9c5928b37dac7902f061a13c13ab2826fe9ddef8269f68eb2 45bd17aaac7454c7473ffdd799cbe0cead8f54b7cb7a553656a0a6f8670bd57d 4cf1d2f01e4206afbb7abcfb48953e59f0869f020d5fb4946abef31fadefdbc9 66be3cf487dcf97f4aaba67de2ee4f5cfaf79d62dab5737eba2a1ffde1b7d34d a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e afbf57bddf2c5eba48d2aa2de4d8880cc582e3bfd918b05ec77def90c689841c bb84cca6de19cb721fa8d180f8aa80b7ea591e4885c62f6577e445654723d7f3 bc5998ba55ead151eff8d1531f004f9c0a9d62066efd7656d40dad9f2c074624 d00b92837467c301f5359943d955dc7a4d59f0136b4e90715d5d97ee0a9617d3 dae6e6cde51fefbb81c9c44fde504cd984f24b73da3a2623a6f02135014e2d5f 
Brian Wallace

About Brian Wallace

Lead Security Data Scientist at Cylance

Brian Wallace is a data scientist, security researcher, malware analyst, threat actor investigator, cryptography enthusiast and software engineer. Brian acted as the leader and primary investigator for a deep investigation into Iranian offensive cyber activities which resulted in the Operation Cleaver report, coauthored with Stuart McClure.

Brian also authors the A Study in Bots blog series which covers malware families in depth providing novel research which benefits a wide audience.