Executive Summary
- Ransomware is a type of malware that restricts access to an infected computer system and demands a ransom payment to remove the restriction.
- Some ransomware encrypt the files on the system’s hard drive, while others may simply lock the system and display threatening messages to force the user to pay.
- Cryptowall is a ransomware Trojan which targets Windows. It first appeared in early 2014.
- The latest version, Cryptowall 4.0, appeared in November 2015 and it is considered a very prevalent ransomware.
Description
- Cryptowall 4.0 is the fourth version of the popular ransomware. It recently emerged with improved encryption tactics and better evasion techniques that help it deceive some antivirus platforms.
- Cryptowall 4.0 can exploit many more vulnerabilities than the previous versions. It is also better at staying under the radar and avoiding sandbox detection.
- Cryptowall 4.0 includes advanced malware dropper mechanisms to avoid antivirus detection.
- Detection rates of Cryptowall 4.0 in certain anti-virus and firewall products have decreased significantly compared to the previously successful Cryptowall 3.0 ransomware.
Check Point Protections
- Check Point Anti-Virus and Anti-Bot blades protect against Cryptowall 4.
- This includes a wide variety of network signatures, C&C URLs and file hashes.
- Check Point protections block Cryptowall’s communication with its C&C, preventing it from fetching encryption keys and encrypting the victim’s files.
Check Point Observation & Guidance
- Check Point analysis showed that almost no changes in the communication methods with the C&C domains occurred between Cryptowall 3 and Cryptowall 4. Therefore the same network signatures apply to both.
- Check Point continues to monitor and follow up on C&C domains for all versions of Cryptowall.
REFERENCES
Encrypting Ransomware: https://en.wikipedia.org/wiki/Ransomware#Encrypting_ransomware
Technical Description: http://www.theregister.co.uk/2015/11/09/cryptowall_40/