Last month many Internet users were suddenly forced to trade in Bitcoins. This was not for general purposes–they were paying to get their data back. Their systems had been hijacked by ransomware.
Ransomware is a type of malware that infects a machine, locks data files or the entire system, and demands payment to free the information. What’s worse, sometimes the hijackers take the payment and still don’t unlock the data.
Law enforcement recently celebrated a major shutdown of ransomware, but no sooner does one strain of malware suffer a setback than another takes its place. During the past year the ransomware CryptoLocker has been in the news. Just after its operation was taken down we saw a similar variant, called CryptoWall.
Victims are infected by opening phishing email attachments.
CryptoWall uses stealth methods for execution, resolving API names, and random number and crypto key generation algorithms that communicate with the malware’s control servers, which are walled behind the TOR network. The use of TOR and Bitcoin in this operation make tracing the attackers more difficult.
CryptoWall is typically obfuscated and compiled with the latest C++ compiler. The malware uses a technique that is common among malware today. Instead of writing its unpacked binary onto a system, it unpacks itself in memory and later maps onto the original malware process address to execute. The unpacking routine contains lots of fake API calls and obsolete instructions to make it hard to analyze.
On execution the malware injects unpacked code into explorer.exe by using the API calls CreateProcessInternalW, ZwCreateSection, and ZwMapViewOfSection.
The infected explorer.exe further injects malicious code into the common process svchost.exe in Windows. The unpacked malware binary does not contain any API information or import address table; instead it creates one at runtime. To resolve the API names, the malware uses a hash-key technique, in which it passes a hardcoded hash to a function to get the API name from the corresponding DLL.
The malware uses Windows cryptography functions to calculate the MD5 hash of the user’s machine name and processor information using a hashing algorithm; thus the malware can store this hash as a unique identification of the infected machine.
The binary uses the following format to encrypt user information and send it to control server.
The communication between the control server and victim is via RC4 algorithm, to bypass traditional intrusion detection or prevention systems. The malware sends user information in encrypted form and waits for commands from the control server.
CryptoWall is different from other common malware in that it uses the POST parameter as a key to encrypt and decrypt POST data (user information and responses from the control server).
In the preceding image, “/mm5pqllvakv” is the POST parameter and encrypted user data is the “v=5ca…” string outlined in red.
This POST parameter is generated using custom logic with the Mersenne twister algorithm as a random-number generator. Thus each communication is different for same data.
Using the POST parameter and custom algorithm, the malware creates a secret key in the RC4 algorithm for network traffic.
The malware uses RC4 to encrypt the data “{1|cw1500|E283970059F62062A65F957D240764FD|2|1|2|}” with the secret key “5akllmmpqvv.”
After encryption, we see this:
The POST variable name “x=” or “v=” is also chosen randomly from the POST parameter “/mm5pqllvakv.”
On the server side, we find these steps:
- The attacker creates the secret key using the POST parameter.
- Extracts user information from RC4-encrypted data.
- Stores unique MD5 (machine and processor names) data to identify the victim.
- Create a public/private key pair using OpenSSL.
- Encrypts victim’s public key and unique homepage of ransom details with the RC4 algorithm using the secret key.
- Encrypts user files, including docx, ppt, txt, pdf, etc. using the public key.
The communication with the control server looks like this:
Decrypted network traffic:
The secret key is created from the randomly generated POST parameter. The algorithm for creating a secret key is represented below in a simple python program:
Using the preceding algorithm, a secret key can be generated and the network response can be decrypted.
In this case, the POST parameter is “cb1wk21a56w”and the secret key for decryption is “11256abckww.”
Here is the control server response decrypted using the secret key:
After receiving the public key, the malware searches for user data and encrypts it. The data can be decrypted only by its corresponding private key.
To offer that private key, the attacker demands money. The malware displays the following message and instructs the victim to pay. It offers to decrypt one file as proof of its decoding capability.
The victim needs the corresponding private key to decrypt files. The attacker demands US$500 for the private key, with a deadline for this price. After that time, the ransom increases to US$1,000.
Your best protection is to back up your data regularly and avoid phishing emails. McAfee customers are already protected from this threat.
I would especially like to thank my colleague Vikas Taneja for his help in researching this threat.