Ransomware on Steroids: Cryptowall 2.0


Home Forums All about ProClockers Talk to the Team Ransomware on Steroids: Cryptowall 2.0

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #70128
    admin
    Keymaster

     Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit.  

     

     

    http://blogs.cisco.com/security/talos/cryptowall-2

    #84087
    StaticFX
    Participant

    I swear I saw that someone had discovered a way to decrypt.. to create the Key needed, but I cant find it!

    #84102
    JMRK
    Participant

    I swear I saw that someone had discovered a way to decrypt.. to create the Key needed, but I cant find it!

    There were some encryption methods where they were able to decrypt the files. In one case the malware writer inadvertently left the keys in the registry or somewhere on the system. In some cases they’ve used a known key which made it easy as well. Cryptolocker and CryptoWall are using pretty advanced methods to make sure the key is kept secret.

    #84136
    StaticFX
    Participant

    well, i would never pay.. i make back ups often enough I would just wipe the system and re-start.

     

    #84142
    Admin1
    Guest

    This also happened to a police station in Swansea, Mass. in 2013 and they paid the $750 lol Google it if you want to read the story. I’m originally from Somerset Mass, Swansea is 5 minutes away

    #84143
    StaticFX
    Participant

    lol.. they paid!?? oh god…

    #84162
    altshep123
    Participant

    I was thinking $750 was pretty steep if you were targeting your average schmuck, but hitting a police station…  I bet they paid within the first couple hours : (  heaven help the unlucky if this ever got widespread.  No anti-virus is going to help grandma in this case…

    #84191
    Admin1
    Guest

    I’m very surprised that they didn’t ask for more, seeing as they must have known it was a police station computer. I believe they were told not to pay, but they did it anyway. For all they know every single file might have been copied and saved to sell at a later date.

    #84208
    StaticFX
    Participant

    I dont think Crypto is a “targeted attack” – i think its a virus like any other

     

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.