At Quick Heal Labs, we have received certain malicious document files which use spam emails to spread the CryptoWall Ransomware. Read on for more.
What is a Ransomware?
A ransomware is a malicious program that either locks the infected system or encrypts its data. Once it has done that, it asks for a ransom to let go off the computer or decrypt the data.
The malicious documents analyzed in our Labs seem to contain macros that download and install the CryptoWall Ransomware on the targeted machine as soon as the victim opens any of the documents.
We have observed that the malware is a new variant of CryptoWall 4.0. This version is designed to execute commands that can disable Windows Protection by stopping and disabling services such as ShareAccess, wscsvc, and wuauserv. Also, the new variant uses the WMI (Windows Management Instrumentation) framework to execute the downloaded component, which is responsible for encrypting the files on the victim’s computer. And this technique could help the malware bypass detection even by Behavior-based security systems.
Once its component is downloaded into the victim’s computer, the attacker can gain full access to the infected machine and is capable of performing the following:
- Steal credentials of web browsers and email clients
- Stop and disable Windows Security Services
- Download and install Ransomware using WMI
Download the below PDF to know more about our technical analysis of the malware and its execution flow.
Preventive Measures against Ransomware infections
1. Never download attachments or click on links in unknown, unwanted or unsolicited emails.
2. Don’t click on suspicious or unwanted pop-up ads or alerts while visiting unfamiliar or even familiar websites.
3. Keep your OS, Internet browsers and all other programs in your computer patched and up-to-date. Keep Automatic Updates ON.
4. Take regular backups of all the important files you have on your computer. We recommend you to begin the backup procedure offline and not when you are connected to the Internet. Doing this will ensure that you do not have to give in to the ransomware’s demands.
5. Have a security software installed in your PC that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites. Quick Heal Antivirus has an inbuilt anti-ransomware defense that detects and stops ransomware that encrypt data. It analyzes programs based on their behavior and the activities. This helps Quick Heal detect malware like ransomware in real-time and prevent potential infections. This anti-ransomware feature remains active in the system even if the antivirus software itself is turned off for some reason.
We will keep our readers posted if any new developments are seen in the case of this new variant of CryptoWall. Stay safe!
Subject Matter Experts:
– Sudhanshu Dubey
– Sandip Kirar
Quick Heal Threat Research & Response Team