CryptoWall updated to 2.0
One of this summer’s most followed ransomware families is CryptoWall. Over time CryptoWall has seen minor updates and changes but its core functionality has stayed pretty much the same. Once a machine has been infected, CryptoWall will attempt to encrypt the contents of the victims hard drive and then demand a ransom payment in exchange for the decryption key required to get the contents back.
The only major break from this was a few months ago when we observed a few CryptoWall samples that were using a custom Tor-component to communicate with their command & control servers. This Tor component was downloaded as an encrypted binary file from compromised websites. It was then decrypted and used to set up a connection to the Tor network through which the C&C server could be reached. Interestingly, we only observed a few of these “Torified” versions of CryptoWall. The majority of the samples we have seen have stuck to the original C&C communication method.
That may now have changed. Just yesterday, the first samples of ransomware calling itself “CryptoWall 2.0” were spotted in the wild.
The CryptoWall 2.0 ransom page
CryptoWall 2.0 appears to use a new packer/obfuscator with an increased amount of anti-debugging and anti-static analysis tricks. Upon reaching the final malicious payload, however, CryptoWall 2.0 is almost identical to the Torified CryptoWall 1.0 samples seen earlier this summer.
On the left, Torified CryptoWall 1.0 and on the right the same function in CryptoWall 2.0
Perhaps it was the efforts of security researchers to shut down CryptoWall C&C servers that was hurting the gangs business. Or maybe they just felt it was time for change. In any case the author(s) clearly felt a new C&C communication method was needed. And like professional software developers, the CryptoWall author(s) seem to believe in first testing new versions thoroughly alongside previous versions before completely switching over to the new one. We believe the Torified versions of CryptoWall 1.0 were exactly that, testing. Therefore we expect to see a lot more of CryptoWall 2.0 in the near future.
List of compromised Tor-component download locations:
List of .onion C&C domains:
Hashes for CryptoWall 2.0 samples:
Hashes for Torified CryptoWall 1.0 samples:
Post by Artturi Lehtiö (@lehtior2)