CryptoWall Analysis
Table of Contents
Malware Analysis - This article is part of a series.
Executive Summary #
The CryptoWall is a ransomware that encrypts a victim’s files and demands payment in exchange for the decryption key. It was first identified in 2014 and has since evolved with new versions and features. This report provides an analysis of CryptoWall version 3.0.
Indicators of Compromise (IoCs) #
- Hash (MD5): 5ca5c62fa5d07674ab707c22d123f2c9
- Command and Control (C2) Domain: bit56[.]biz
Analysis #
Infection Vector #
CryptoWall is typically spread via spam email campaigns containing a malicious attachment. The attachment is usually a Microsoft Word or PDF document that contains a macro or exploit to download and execute the ransomware payload.
Persistence #
Once executed, CryptoWall creates a registry key at “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” to ensure persistence across reboots.
Encryption #
CryptoWall uses RSA public-key cryptography to encrypt a victim’s files. The encryption key is generated on the attacker’s server and sent to the victim’s machine. The malware then encrypts the victim’s files using the key and appends a unique extension to each encrypted file.
Ransom Note #
After encrypting the victim’s files, CryptoWall drops a ransom note in each directory containing encrypted files. The note instructs the victim on how to pay the ransom and provides a unique identifier for the victim’s decryption key.
Command and Control #
CryptoWall uses a domain generation algorithm (DGA) to generate a list of domains for command and control (C2) communication. Version 3.0 of CryptoWall uses a single hardcoded domain, “bit56.biz”, for C2 communication.
Mitigation and Prevention #
- Keep your software up-to-date with the latest security patches.
- Use anti-virus and anti-malware software and keep it up-to-date.
- Be cautious when opening email attachments, especially from unknown senders.
- Backup your files regularly to ensure you can recover from a ransomware attack without paying the ransom.
- Consider using email filters and web filters to block known malicious domains and URLs.
Conclusion #
CryptoWall is a dangerous ransomware that can cause significant damage to an organization’s files and operations. It is typically spread via spam email campaigns and uses RSA public-key cryptography to encrypt a victim’s files. Prevention measures such as keeping software up-to-date and regularly backing up files can help mitigate the risk of a CryptoWall attack.