Cryptowall Ransomware uses Bitcoin and TOR exclusively (June 27, 2014)

The Dell SonicWall Threats Research team has received reports of a new variant of the Cryptolocker Ransomware Trojan named Cryptowall. As authorities home-in on the operator of the original Cryptolocker (covered in a previous SonicAlert) the operators of this variant have chosen to use Bitcoin as the only method of payment and to use TOR to hide its C&C servers.

Infection Cycle:

The Trojan uses the following email to masquerade as a legitimate FAX message:

The Trojan adds the following files to the filesystsem:

• %APPDATA%3554cca.exe (copy of original)
• %USERPROFILE%Start MenuProgramsStartup3554cca.exe (copy of original)
• %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.HTML
• %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.TXT
• %USERPROFILE%Start MenuProgramsStartupDECRYPT_INSTRUCTION.URL

The Trojan adds the following files for each directory in which it has encrypted files.

• DECRYPT_INSTRUCTION.HTML (instruction page)
• DECRYPT_INSTRUCTION.TXT (explanation of what happened to the system)
• DECRYPT_INSTRUCTION.URL (for displaying the instruction page at startup)

Below is a sample of registry keys added to the system. The files have a reference code just like in the original Cryptolocker:

The Trojan runs the following command to delete any shadow copies present on the system:

vssadmin.exe Delete Shadows /All /Quiet

DECRYPT_INSTRUCTION.URL contains the following data:

The Trojan runs explorer.exe and causes it to inject code into a new instance of svchost.exe. The new svchost process is responsible for encrypting files on the system and receiving PGP decryption information from the C&C server:

Further encrypted communication was observed over the TOR network:

Once the Trojan is finished with the file encryption process it causes the default browser to display the following pages:

The pages contains details of what happened to the system and indicate that Bitcoin is the only method of payment for restoring the files. The ransom is increased if the funds are not paid before an initial deadline. The combination of Bitcoin and TOR make it significantly harder for authorities to not only track the operators but to also take down the C&C servers.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Crypwall.H (Trojan)
• GAV: Cryptodef.GF (Trojan)
• GAV: Cryptodef.MD (Trojan)
• GAV: Cryptodef.GK (Trojan)
• GAV: Filecoder.V (Trojan)
• GAV: Filecoder.CQ_3 (Trojan)
• GAV: Filecoder.W_20 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.