CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
At one time, CryptoWall was a second-rate successor to CryptoLocker, which largely disappeared after law enforcement shut down the Gameover Zeus botnet that was used to distribute it.
Ransomware has been around for more than a decade, but cybercriminals have resurrected the scam over the last couple of years with surprising success. Files on computers infected with ransomware are encrypted, and victims are encouraged to pay a ransom — usually in the virtual currency Bitcoin -- to unlock their files.
Dell SecureWorks estimated in August 2014 that CryptoWall had infected 600,000 computers in the previous six months, netting as much as $1 million in ransoms. The fee demanded ranges from $100 to $500.
CryptoWall uses strong public-key cryptography to scramble files with certain extensions. Aside from paying the ransom, the only other way to counter it is by restoring files from a backup, although CryptoWall hunts around and tries to encrypt those files as well.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
"It keeps evolving," said Earl Carter, a researcher with Cisco Talos, in a phone interview Thursday. Cybercriminals "seem to be continually morphing things, trying to make it more effective."
It is coded to run on both 32-bit and 64-bit systems, which increases its chances of running on whatever computer it infects, Carter said. Newer versions of Mac OS X and Windows are 64-bit operating systems.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660, to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
"They don't want people to easily look at this in a sandbox," Carter said.
A possible defense to CryptoWall is to add fake entries in the file system that indicate a virtual machine is running. Carter said that trick might work but is probably not a way to prevent such infections over the long term.
If CryptoWall decides it is safe to run after checking for a virtual machine, it continues to decrypt itself. It then communicates with command-and-control servers using the Tor network. Tor routes Internet traffic anonymously through a worldwide network of servers, making it harder to trace.
Sign up for Computerworld eNewsletters.