New version of CryptoWall uses WMI

At Quick Heal Labs, we have received certain malicious document files which use spam emails to spread the CryptoWall Ransomware. Read on for more.

What is a Ransomware?
A ransomware is a malicious program that either locks the infected system or encrypts its data. Once it has done that, it asks for a ransom to let go off the computer or decrypt the data.

Analysis
The malicious documents analyzed in our Labs seem to contain macros that download and install the CryptoWall Ransomware on the targeted machine as soon as the victim opens any of the documents.

We have observed that the malware is a new variant of CryptoWall 4.0. This version is designed to execute commands that can disable Windows Protection by stopping and disabling services such as ShareAccess, wscsvc, and wuauserv. Also, the new variant uses the WMI (Windows Management Instrumentation) framework to execute the downloaded component, which is responsible for encrypting the files on the victim’s computer. And this technique could help the malware bypass detection even by Behavior-based security systems.

 Activities of CryptoWall
Once its component is downloaded into the victim’s computer, the attacker can gain full access to the infected machine and is capable of performing the following:

  • Steal credentials of web browsers and email clients
  • Stop and disable Windows Security Services
  • Download and install Ransomware using WMI

Download the below PDF to know more about our technical analysis of the malware and its execution flow.

CrytoWall 4.1_PDF

Preventive Measures against Ransomware infections

1. Never download attachments or click on links in unknown, unwanted or unsolicited emails.

2. Don’t click on suspicious or unwanted pop-up ads or alerts while visiting unfamiliar or even familiar websites.

3. Keep your OS, Internet browsers and all other programs in your computer patched and up-to-date. Keep Automatic Updates ON.

4. Take regular backups of all the important files you have on your computer. We recommend you to begin the backup procedure offline and not when you are connected to the Internet. Doing this will ensure that you do not have to give in to the ransomware’s demands.

5. Have a security software installed in your PC that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites. Quick Heal Antivirus has an inbuilt anti-ransomware defense that detects and stops ransomware that encrypt data. It analyzes programs based on their behavior and the activities. This helps Quick Heal detect malware like ransomware in real-time and prevent potential infections. This anti-ransomware feature remains active in the system even if the antivirus software itself is turned off for some reason.

We will keep our readers posted if any new developments are seen in the case of this new variant of CryptoWall. Stay safe!

Acknowledgment

Subject Matter Experts:

– Sudhanshu Dubey
– Sandip Kirar
Quick Heal Threat Research & Response Team

 

Rajiv Singha

Rajiv Singha


2 Comments

Your email address will not be published.

CAPTCHA Image

  1. Avatar amrut parakhMarch 4, 2016 at 11:50 PM

    want a patch to remove malware and virus. we have licence copy of total security but unable to remove. message shown

    NOT YOUR LANGUAGE? USE https://translate.google.com

    What happened to your files ?
    All of your files were protected by a strong encryption with AES
    More information about the encryption keys using AES can be found here: https://en.wikipedia.org/wiki/AES

    How did this happen ?
    !!! Specially for your PC was generated personal AES KEY, both public and private.
    !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
    !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server

    pls solve or mail us patch.

    Reply