by RSS Rommel Abraham D. Joven  |  Nov 13, 2015  |  Filed in: Security Research

Overview

Cryptowall is a popular ransomware which targets computers running Microsoft Windows, encrypts files, and extorts money to decrypt user files. With its predecessor’s first appearance way back September 2013, cryptowall has become a financial success to its authors. Following this success, the authors have now released what is believed to be the 4th generation of cryptowall with new alterations techniques.

Ransom Note

The most obvious change from the previous cryptowall is the dropped files and message instructions after the user is infected. The new filename was renamed from "HELP_DECRYPT" to "HELP_YOUR_FILES", also to add insult to injury the new note congratulates the victim for becoming part of the Cryptowall community with hashtag #Cryptowall.

                                                             HELP_YOUR_FILES.TXT

                                                               HELP_YOUR_FILES.PNG

                                                                HELP_YOUR_FILES.HTML

No Trace Left

Not just the data of the file is encrypted but also the filename, making it difficult for a user to determine which specific file has been encrypted. With these, it adds curiosity to the user if important files were encrypted. It increases the possibility for the user to pay the ransom.

 

                                                     Sample of Encrypted Filename

Blacklisted Keyboard Language

It gets the keyboard language by using the API GetKeyboardList and compares it to its hardcoded values. It does not infect the machine if it sees any of these values.

 

Use of CRC32 Hash

Same with the previous Cryptowall, it uses the hardcoded CRC32 hash to check and compare for blacklist (countries, filenames, directories, and extensions) and targeted extension to encrypt.

Blacklisted Countries

The malware has a list of the two-letter country code of countries to avoid. Here are the countries:

If the code matches one of these countries, the malware will remove all traces of itself from the system. Otherwise, it proceeds with its main payload. This also implicates the possibility that attackers operate under these countries.

Blacklisted Directories

The malware is cautious not to encrypt important files that could disrupt the normal operation of the computer. The directory will be skipped if its folder name is any of the following:

Blacklisted Filenames

Having dropped a ransom note the malware makes sure that this will not be encrypted and the appearance of the system still stay the same. Here are some of the filenames that will be skipped:

Blacklisted Extensions

The following are the list of extensions that the malware skipped to encrypt. These extensions are basically related to system files that may affect system operation if modified.

Targeted Extensions

From the previous version it targeted around 312 file extensions while in our analysis we found out that 358 extensions were being targeted. Listed are 345 out of 358 extensions that we managed to identify:

c

cmt

grw

ns4

Qbm

vsd

dotx

cdf

fdb

nef

h

cnv

gry

nwb

Qbr

vsx

flac

cdr

ffd

nk2

m

cpi

hbk

nxl

Qbw

vtx

gray

cdx

fff

nop

ai

cpp

hpp

nx1

Qbx

wav

grey

cer

fhd

nrw

al

crt

ibd

nx2

Qby

wbk

indd

ce1

fla

nsd

cs

crw

ibz

nyf

Raf

wb2

itdb

ce2

flv

nsf

db

cr2

idx

obj

Rar

wdb

java

cfp

fpx

nsg

fh

csh

iif

odb

Rat

wll

jpeg

cgm

fp7

nsh

fm

csl

iiq

odc

Raw

wmv

kdbx

cib

fxg

ns2

ib

csv

jpe

odf

Rdb

wpd

kpdx

cls

gdb

ns3

nd

dac

jpg

odg

Rtf

wps

potm

sxg

cdr5

design

pl

dbf

kc2

odm

Rwl

xis

potx

sxi

cdr6

laccdb

ps

dbr

kdc

odp

Rwz

xla

ppam

sxm

craw

psafe3

py

dbs

key

ods

rw2

xlb

ppsm

sxw

ddoc

sas7bdat

rm

db3

lua

odt

r3d

xlc

ppsx

tex

ddrw

pspimage

7z

dcr

maf

oil

Say

xlk

pptm

tga

djvu

st8

ab4

dcs

mam

one

Sda

xll

pptx

thm

docb

svg

ach

dcx

maq

orf

Sdf

xlm

sldm

tlg

docm

swf

acr

dc2

mar

otg

sd0

xlr

sldx

txt

docx

sxc

act

ddd

maw

oth

sl2

xls

s3db

vob

dotm

sxd

adb

dds

max

otp

Snp

xlt

vsdx

prf

3g2

accdu

ads

der

mdb

ots

Sql

xlw

xlam

psd

3pr

blend

ait

des

mdc

ott

Srf

xpp

xlsb

ptx

agdl

class

apj

dgc

mde

pas

Srt

xsn

xlsm

pub

back

ibank

arw

dng

mdf

pat

Srw

x11

xlsx

puz

bank

pages

asf

doc

mdt

pbo

sr2

x3f

xltm

p12

cdrw

rpmsg

asm

dot

mef

pcd

Stc

yuv

xltx

p7b

cdr3

xllsx

asp

drf

mfw

pct

Std

zip

accdb

p7c

cdr4

backup

asx

drw

mmw

pdb

Sti

3dm

accde

qba

3fr

accdr

avi

dtd

mos

pdd

Stw

3ds

accdp

qbb

3gp

accdt

Awg

dwg

mov

pdf

Stx

bik

edb

mrw

Pip

 

Bak

dxb

mpg

pef

st4

bkf

eml

mso

Plc

 

Bay

dxf

mpp

pem

st5

bkp

eps

myd

Pot

 

Bdb

dxg

mp3

pfx

st6

bpw

erf

m4v

Pps

 

Bgt

ebd

mp4

php

st7

cdb

exf

ndd

Ppt

 

The malware then proceeds to enumerate files from the system. After a successful check against the blacklist and if an enumerated file matches one of the target extensions, the malware will proceed to encrypt the file.

C&C Communications:

Similar to its predecessor, all communications with the C&C server uses RC4 encryption. The C&C server list is decrypted using a short hard-coded key, while the encrypted message to be sent to the server uses the malware generated RC4 key.

                                                Sample of encrypted message sent to the C&C server

In our analysis, we were able to track down C&C domains the sample connects to. A list of these domains is available below.

Conclusion

The code updates highlighted in this post demonstrates the Crypto Wall operators’ determination to persist in the wild and continue its lucrative business. Unless arrests were made, we expect that Cryptowall will continue to be updated to remain effective with its extortion techniques, as exemplified in this variant’s new filename modification behaviour.

Fortinet, in cooperation with the Cyber Threat Alliance, will continue to monitor developments regarding this prominent threat.

-=Fortiguard Lion Team=-

List of C&C domains

Hashes of related files:
e73806e3f41f61e7c7a364625cd58f65 - W32/Cryptodef.AAOJ!tr
50b965686ad2cbdc0066e870a928177e -W32/Agent.1F56!tr

 

by RSS Rommel Abraham D. Joven  |  Nov 13, 2015  |  Filed in: Security Research

comments powered by Disqus