Last week, we published a couple of posts regarding spam and the dangers it can pose. In this post we\u2019re going to single out one specific threat coming with (and out of) avalanches of spam. Subject: Cryptowall 3.0.<\/p>\n
\u201cCrypto\u201d-something again: The kind of a threat that isn\u2019t going anywhere any time soon, and for one reason: ransomware works. It\u2019s also the reason it \u2013 and its distributions models \u2013 keeps evolving.<\/p>\n
Evil-ution<\/strong><\/p>\n Kaspersky Lab\u2019s regular reports on threat dynamics and trends are called \u201cIT Threat Evolution\u201d not just for catchy word\u2019s sake. IT threats are improving well in accordance with the laws of evolution \u2013 i.e. \u201cnatural selection\u201d. Even though there is a bunch of \u201cintelligent design\u201d behind all that malicious stuff that security vendors and users have to deal with.<\/p>\n #Cryptowall 3.0: an evolution twist. #ransomware<\/p>Tweet<\/a><\/blockquote>\n There\u2019s just one basic law behind the evolution itself: the fittest survives. At any moment environment conditions may change, and what is capable of adapting stays \u2013 the rest fades away.<\/p>\n However, the \u201cfittest\u201d doesn\u2019t mean \u201cthe very best\u201d and certainly does not mean \u201cthe very complex.\u201d Certain lifeforms have had their entire organs reduced or even completely \u201cdropped\u201d since these lifeforms are better \u2013 fitter \u2013 without them.<\/p>\n Something similar happens to the cyberthreats too, even though it doesn\u2019t evolve on its own, there is always a human intelligence behind them.<\/p>\n The aforementioned Cryptowall 3.0, which has been around for quite some time, has recently been\u00a0found stripped of certain functions present in its previous versions. According to Threatpost\u2019s publication from early June, it no longer has any built-in exploits<\/a>. Curiously, it has also dropped \u201cvirtualization check\u201d function. An ability to switch between 32- and 64-bit operation also seems to be lost. The initial report authors \u2013 Cisco\u2019s Talos team \u2013 said that it discovered dead code and \u201cuseless\u201d API calls in the sample it snared, much to their surprise.<\/p>\n Otherwise it\u2019s still as bad as it gets<\/strong><\/p>\n In other regards, Cryptowall 3.0 is a decently dangerous offshoot of the \u201ccryptos\u201d ransomware family, as insidious and nefarious as the rest of them.<\/p>\n It communicates over anonymity networks \u2013 in this case the I2P network \u2013 in order to keep communication between infected computers and command and control a secret. Brute-force decryption isn\u2019t an option as well \u2013 as it has not been with other *lockers for quite some time: the keys are too long.<\/p>\n And the answer to the logical question \u201cwhy Cryptowall has dropped its exploits\u201d is simple: It relies on the major exploit kits today, such as Angler<\/a>.<\/p>\n \u201cKits such as Angler, Nuclear, and most recently Hanjuan, have been busy incorporating Flash exploits dropping a mix of click-fraud malware and ransomware with great success and greater profits,\u201d Threatpost said. It also quotes Cisco as saying: \u201cThe lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit\u2019s functionality could be used to gain privilege escalation on the system\u201d. Without such escalation attacks it would\u00a0most likely be beaten off \u2013 these are needed to turn off security features in the targeted system.<\/p>\n #Cryptowall 3.0 switches to 3rd-party exploit kits. #ransomware<\/p>Tweet<\/a><\/blockquote>\n Looks like a specialization of labor, does it not? Some built a crimenet distribution platform for malware and exploits delivery, the others focused on developing even more sophisticated malware species, while simply leasing the distribution facilities to spread out their creations. A mutually beneficial business\u2026<\/p>\n #BadGuysWantYourMoney<\/strong><\/p>\n That\u2019s what most of the current cyberthreats are about \u2013 money. With ransomware, criminals truly struck the right note: People are often willing to do anything to recover the lost access to their much-endeared files, and knowing that they are not destroyed forces many of cryptos\u2019 victims into making life for the criminals sweet and profitable.<\/p>\n It\u00a0is not necessary. In fact, the only certain way not to become a victim of ransomware is to have \u00a0proper \u201ccold\u201d backups of every important file. The current generation of ransomware criminals use encrypted communications, and by this they have done almost everything to prevent their discovery and identification. As said earlier, in most cases the decryption is impossible, even though errors occur.<\/p>\n But at the same time it is the initial infection vector that is the most vulnerable part of their \u201coperations\u201d. You can decrease the risks by preventing exploits from working using the proper technical tools<\/a> and by keeping the popular vulnerable software in check<\/a>. It is also imperative to educate your employees about phishing and other threats \u2013 all of this to not allow the ransomware, whatever its name is, into your infrastructure.<\/p>\n Those aforementioned exploit kits may be thick with new and barely known (or even 0day) exploits, but there\u2019s nothing unpreventable there, if the approach is right.<\/p>\n","protected":false},"excerpt":{"rendered":" Kaspersky Lab’s regular reports on threat dynamics and trends are called “IT Threat Evolution” not just for catchy word’s sake. IT threats are improving well in accordance with the laws of evolution – i.e. “natural selection”. <\/p>\n","protected":false},"author":209,"featured_media":15644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1164,420],"class_list":{"0":"post-4137","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cryptowall","10":"tag-ransomware"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cryptowall-3-0-an-evolution-twist\/4137\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cryptowall-3-0-an-evolution-twist\/4137\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cryptowall-3-0-an-evolution-twist\/4137\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cryptowall\/","name":"Cryptowall"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4137"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4137\/revisions"}],"predecessor-version":[{"id":30459,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4137\/revisions\/30459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15644"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}