Cryptowall 3.0: an evolution twist

Kaspersky Lab’s regular reports on threat dynamics and trends are called “IT Threat Evolution” not just for catchy word’s sake. IT threats are improving well in accordance with the laws of evolution – i.e. “natural selection”.

Last week, we published a couple of posts regarding spam and the dangers it can pose. In this post we’re going to single out one specific threat coming with (and out of) avalanches of spam. Subject: Cryptowall 3.0.

“Crypto”-something again: The kind of a threat that isn’t going anywhere any time soon, and for one reason: ransomware works. It’s also the reason it – and its distributions models – keeps evolving.


Kaspersky Lab’s regular reports on threat dynamics and trends are called “IT Threat Evolution” not just for catchy word’s sake. IT threats are improving well in accordance with the laws of evolution – i.e. “natural selection”. Even though there is a bunch of “intelligent design” behind all that malicious stuff that security vendors and users have to deal with.

There’s just one basic law behind the evolution itself: the fittest survives. At any moment environment conditions may change, and what is capable of adapting stays – the rest fades away.

However, the “fittest” doesn’t mean “the very best” and certainly does not mean “the very complex.” Certain lifeforms have had their entire organs reduced or even completely “dropped” since these lifeforms are better – fitter – without them.

Something similar happens to the cyberthreats too, even though it doesn’t evolve on its own, there is always a human intelligence behind them.

The aforementioned Cryptowall 3.0, which has been around for quite some time, has recently been found stripped of certain functions present in its previous versions. According to Threatpost’s publication from early June, it no longer has any built-in exploits. Curiously, it has also dropped “virtualization check” function. An ability to switch between 32- and 64-bit operation also seems to be lost. The initial report authors – Cisco’s Talos team – said that it discovered dead code and “useless” API calls in the sample it snared, much to their surprise.

Otherwise it’s still as bad as it gets

In other regards, Cryptowall 3.0 is a decently dangerous offshoot of the “cryptos” ransomware family, as insidious and nefarious as the rest of them.

It communicates over anonymity networks – in this case the I2P network – in order to keep communication between infected computers and command and control a secret. Brute-force decryption isn’t an option as well – as it has not been with other *lockers for quite some time: the keys are too long.

And the answer to the logical question “why Cryptowall has dropped its exploits” is simple: It relies on the major exploit kits today, such as Angler.

“Kits such as Angler, Nuclear, and most recently Hanjuan, have been busy incorporating Flash exploits dropping a mix of click-fraud malware and ransomware with great success and greater profits,” Threatpost said. It also quotes Cisco as saying: “The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit’s functionality could be used to gain privilege escalation on the system”. Without such escalation attacks it would most likely be beaten off – these are needed to turn off security features in the targeted system.

Looks like a specialization of labor, does it not? Some built a crimenet distribution platform for malware and exploits delivery, the others focused on developing even more sophisticated malware species, while simply leasing the distribution facilities to spread out their creations. A mutually beneficial business…


That’s what most of the current cyberthreats are about – money. With ransomware, criminals truly struck the right note: People are often willing to do anything to recover the lost access to their much-endeared files, and knowing that they are not destroyed forces many of cryptos’ victims into making life for the criminals sweet and profitable.

It is not necessary. In fact, the only certain way not to become a victim of ransomware is to have  proper “cold” backups of every important file. The current generation of ransomware criminals use encrypted communications, and by this they have done almost everything to prevent their discovery and identification. As said earlier, in most cases the decryption is impossible, even though errors occur.

But at the same time it is the initial infection vector that is the most vulnerable part of their “operations”. You can decrease the risks by preventing exploits from working using the proper technical tools and by keeping the popular vulnerable software in check. It is also imperative to educate your employees about phishing and other threats – all of this to not allow the ransomware, whatever its name is, into your infrastructure.

Those aforementioned exploit kits may be thick with new and barely known (or even 0day) exploits, but there’s nothing unpreventable there, if the approach is right.