by RSS Brian Cheng  |  Aug 05, 2014  |  Filed in: Security Research

CryptoWall is another entry in the popular category of malware known as ransomware. This type of malware holds your data hostage by encrypting your files and then charging a ransom to decrypt the files. The malware displays a message informing the victim that their files have been encrypted and that they have a limited time to pay the ransom before the cost of recovery goes up. To maximize their anonymity, the malware authors use the TOR network and require the ransom to be paid in Bitcoins, a trend that we are seeing more and more often.

A Title

Figure 1. Message that appears after encryption.

While highly disruptive to the victim, the malware is actually quite selective about what it tries to encrypt. What follows in this blog post is a brief overview of how CryptoWall works and how it chooses its target files.

Startup

CryptoWall begins by collecting details about the computer, such as computer name and processor model, to generate an MD5 hash that can identify the infected computer. The figure below shows an example of a generated hash.

A Title

Figure 2. Example of an MD5-hash value generated from the user's computer information.

It then checks for the existence of the event:

\BaseNamedObjects\[Generated hash value]

This is used to determine whether an instance of the malware has already run on the system. If the event is not found, then the malware creates a new instance of explorer.exe and injects itself into it. Within the newly infected explorer.exe process, the malware further creates a new instance of svchost.exe and again injects itself into it. This new process is where the encryption takes place.

Avoiding Certain Countries

The hash value calculated earlier is sent to the command-and-control (C&C) server which then responds with an encrypted message containing the TOR address of their website, a user ID for the victim, and the public key that is used to encrypt the victim's files using RSA-2048. Along with the key is the two-letter country code of the infected machine. It is unclear how this is determined but the server most likely uses the victim's IP address to determine the location. The malware generates a CRC32 hash of the country code and compares it with a list of hash values which correspond to the values BY, UA, RU, and KZ which are the country codes for Belarus, Ukraine, Russia, and Kazakhstan, respectively.

Figure 3

Figure 3. Codes that check the country code.

If the code matches one of those countries, then the malware proceeds to remove all traces of itself from the system by removing any registry entries and dropped files it may have created. Otherwise, it proceeds with its main payload which is the encryption of the victim's files.

Encryption in C&C Communications

All communications with the C&C server is encrypted using RC4. Before sending a message, CryptoWall first generates a random alphanumeric string.

A Title

Figure 4. Randomly generated alphanumeric string.

It then sorts this string, and the result is used as the secret key for the RC4 encryption.

A Title

Figure 5. Sorted string that will be used as the RC4 key.

The message that is to be sent to the C&C server is encrypted with RC4 using this secret key then converted into ASCII values. CryptoWall then sends the unsorted key to the server as a POST parameter along with the encrypted message.

A Title

Figure 6. Example of an encrypted message sent to the C&C server.

In the figure above, the "y=" part of the message is taken from the last character of the sorted key.

Searching for Files

To search for files, CryptoWall scans the system for all mounted drives using GetLogicalDriveStringsW and creates a thread for each drive (excluding CD-ROM drives) to perform the encryption. Each thread begins at the root of the drive and recursively searches through directories looking for files to encrypt. The malware is careful not to disrupt normal operation of the computer by encrypting only files that are likely to contain the victim's data. To do this, folder names are converted to lower case and a CRC32 hash of the result is compared to a list of hash values. Folders such as the following are unlikely to contain data files and are skipped:

\WINDOWS\\Program Files\\Temp\

When a file is located on the drive, a CRC32 hash of the file name is created and compared to another list of hash values that correspond to a number of special files that should not be encrypted such as Thumbs.db and IconCache.db. After passing this check, the extension of the file is extracted and, again, a CRC32 hash value is created from it. This is compared to a list of hash values of file extensions stored by the malware which determines whether or not to encrypt the file.

A Title

Figure 7. Codes that check if the file is to be encrypted.

The types of files that CryptoWall encrypts are split into six different categories: documents/text-related files, graphics/photos, source files, JPEG images, video/audio files, and miscellaneous backup files. The table below shows the categories and the extension names that fall under them.

A Title

Table 1. Extensions and categories of files to encrypt.

The category that a file belongs to determines the maximum size to be encrypted. This is likely done to save time during the encryption process as video, audio, and image files can be large and encrypting only a portion of the file already renders the file unusable. Conversely, text-related files are assigned a larger maximum size so as to encrypt as much of the file as possible in order to reduce chances of recovery without decrypting it.

The figure below shows the hash values of extension names, the six categories, and the maximum size of bytes to be encrypted for each category.

A Title

Figure 8. Valid hash values, their categories, and corresponding maximum encryption size.

Encryption

Once a file has been determined to be a suitable candidate, the file is encrypted with RSA using the public key received from the C&C server. After encryption, the full file path of the file is added as a value under the following registry key:

HKEY_CURRENT_USER\Software\[Generated hash value]\CRYPTLIST

The generated hash value is the same MD5 hash that was mentioned in the Startup section above.

Making it Difficult

In addition to encrypting the files, the malware also executes several commands to make recovery of files even more difficult. The following command is executed to delete the volume's shadow copies, which removes Windows' automatic volume backups:

vssadmin.exe Delete Shadows /All /Quiet

The following commands are also executed to disable the Windows Error Recovery screen at startup:

bcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailures

The malware also attempts to disable the following services to reduce security, disable Windows updates, and disable error reporting in order to avoid detection:

wscsvcWinDefendwuauservBITSERSvcWerSvc

Conclusion

Unfortunately, there is currently no way to obtain the private key to decrypt the files without paying the ransom. Since the malware overwrites the original file with the encrypted version and even deletes the volume shadow copies, the only reliable way to restore the file is to recover from a backup. The best way to protect yourself is to keep your antivirus updated and system patched with the latest security updates. A regularly updated backup of all your important data to a location that is only attached during the backup process (e.g. removable hard drive) will minimize any damage this malware might cause

For more information on Cryptowall and other threats please visit FortiGuard

by RSS Brian Cheng  |  Aug 05, 2014  |  Filed in: Security Research