CryptoWall 3.0: Ransomware returns with I2P Network

The Dell Sonicwall Threats Research team observed Cryptowall bot family named GAV: Cryptowall.K and Cryptowall.L actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network.

The Malware is the first CryptoWall variant that uses I2P anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

Infection Cycle:

Md5: 6c3e6143ab699d6b78551d417c0a1a45, 47363b94cee907e2b8926c1be61150c7

The Malware adds the following files to the system:

• C:2c4284242c428424.exe [Executable file]

• %Appdata% 2c428424.exe [Executable file]

• %Userdata% Start MenuProgramsStartup2c428424.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c42842

  • C:2c4284242c428424.exe

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c428424

  • C:Documents and SettingsAdministratorApplication Data2c428424.exe

The malware it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry and after while terminates its own process.

Also disable system restore after while.

CryptoWall encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. It demanded victims pay the equivalent of US$500 in Bitcoin virtual currency in order to receive the decryption key that allows them to recover their files.

After Malware encrypted all your personal documents and files its shows you following web page:

Command and Control (C&C) Traffic

CryptoWall has communication over I2P anonymity networks, Uses requests to I2P Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Cryptowall.K (Trojan)

• GAV: Cryptowall.L (Trojan)

SonicWALL Application Control can prevent I2P tunnels on your network via the following signatures:

• 5 Encrypted Key Exchange — Random Encryption (Skype,UltraSurf,Emule)
• 7 Encrypted Key Exchange — UDP Random Encryption(UltraSurf)
• 10817 I2P — HTTP Proxy Access 1 [Reqs SID 5 & 7]
• 10817 I2P — HTTP Proxy Access 2 [Reqs SID 5 & 7]
• 10817 I2P — HTTP Proxy Access 3 [Reqs SID 5 & 7]

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.