Check Point Threat Alert: Cryptowall 4

Executive Summary

• Ransomware is a type of malware that restricts access to an infected computer system and demands a ransom payment to remove the restriction.
• Some ransomware encrypt the files on the system’s hard drive, while others may simply lock the system and display threatening messages to force the user to pay.
• Cryptowall is a ransomware Trojan which targets Windows. It first appeared in early 2014.
• The latest version, Cryptowall 4.0, appeared in November 2015 and it is considered a very prevalent ransomware.

Description

• Cryptowall 4.0 is the fourth version of the popular ransomware. It recently emerged with improved encryption tactics and better evasion techniques that help it deceive some antivirus platforms.
• Cryptowall 4.0 can exploit many more vulnerabilities than the previous versions. It is also better at staying under the radar and avoiding sandbox detection.
• Cryptowall 4.0 includes advanced malware dropper mechanisms to avoid antivirus detection.
• Detection rates of Cryptowall 4.0 in certain anti-virus and firewall products have decreased significantly compared to the previously successful Cryptowall 3.0 ransomware.

Check Point Protections

• Check Point Anti-Virus and Anti-Bot blades protect against Cryptowall 4.
• This includes a wide variety of network signatures, C&C URLs and file hashes.
• Check Point protections block Cryptowall’s communication with its C&C, preventing it from fetching encryption keys and encrypting the victim’s files.

Check Point Observation & Guidance

• Check Point analysis showed that almost no changes in the communication methods with the C&C domains occurred between Cryptowall 3 and Cryptowall 4. Therefore the same network signatures apply to both.
• Check Point continues to monitor and follow up on C&C domains for all versions of Cryptowall.

REFERENCES
Encrypting Ransomware: https://en.wikipedia.org/wiki/Ransomware#Encrypting_ransomware
Technical Description: http://www.theregister.co.uk/2015/11/09/cryptowall_40/