Industry Trends

Threat Intelligence Sharing At Work: Cyber Threat Alliance Tracks CryptoWall Version 3

By Derek Manky | October 28, 2015
CryptoWall and its variants are among the best-known types of ransomware, malware that encrypts files on end user hard drives and then prompts for payment of a ransom to decrypt the files. In many cases, if users don’t have recent backups, their only option to recover these files is to pay the ransom. 
CryptoWall Version 3 (CW3) is the most recent major variant that uses sophisticated backend technical and financial infrastructure to extort payments from users, all while employing a variety of measures to slow detection and prevent tracking of attackers. The security community first discovered CryptoWall in June 2014. Since then, a number of variations of CryptoWall have surfaced. The third variant (version 3) began infecting machines in January 2015. 
The Cyber Threat Alliance (CTA) released a detailed analysis of CW3 today, the first shared analysis for the group. This represents a major milestone for the CTA, a group founded by four leading security firms: Fortinet, Intel Security, Palo Alto Networks, and Symantec.  In its aim to raise awareness about advanced cyber threats, actors, their motivations, and tactics, the CTA has also been able to take the massive amounts of data on cyber threats that members routinely collect and really focus on targeted attacks like CW3.

All of the data, samples, and information contained in the full report were sourced by and shared amongst the founding members of the Alliance in the spirit of cooperative research and with a common, targeted goal in sight: To provide an in-depth multifaceted look at one of the most lucrative and broad reaching crimeware campaigns affecting all of our customers around the world.
The end result? The CTA identified almost 50 indicators of compromise (IOCs) that can be used to prevent infection with CW3, all of which will be made available to the open source community so that everyone can benefit from the recommended mitigation actions.
The CTA’s cooperative research uncovered everything from major campaigns to command and control infrastructure. The following graphical representation demonstrates the full anatomy of a CryptoWall Version 3 attack lifecycle.
Figure 1 Anatomy of a CW3 attack
In addition, the CTA collectively identified and tracked
• 4,046 malware samples
• 839 command and control URLs
• 5 second-tier IP addresses used for command and control
• 49 campaign code identifiers
• 406,887 attempted infections of CryptoWall version 3
• An estimated $325 million (USD) in damages, spanning hundreds of thousands of victims around the globe.
The CTA identified two primary distribution channels for CW3: phishing emails and exploit kits. Of roughly 70,000 observed instances of CW3, roughly two-thirds of these have been via phishing emails. However, in April 2015, attackers began relying more heavily on exploit kits for distribution and propagation of CW3. While the volume of phishing emails was high, 42 of the 49 total CW3 campaigns that the CTA identified ultimately used were exploit kits, likely owing to their flexibility and power. The Angler exploit kit, the number one crime-kit to distribute CW3, can actually inject its payload directly into the memory of infected machines and handily exploits a variety of vulnerabilities, especially in Flash.
CW3 was interesting as well in a number of techniques it used to insulate itself from remediation and detection. Shadow copies are a technology included with Microsoft Windows that allows a user to take backup copies of the machine. By deleting these backups, the malware authors prevent users from restoring to a known good configuration. This code will not only delete shadow copies on the victim machine, but also disable Startup Repair from running. 
CW3 also disables key security, updating, backup, and error reporting functionality in Windows:
Service Name Description
wscsvc  Security Center Service
WinDefend  Windows Defender Service
wuauserv  Windows Update Service
BITS  Background Intelligent Transfer Service
ERSvc  Error Reporting Service
WerSvc  Windows Error Reporting Service
CW3 also intelligently identifies key files to encrypt that will be of value to the user but will not affect the function of the operating system itself by comparing file names to extensive blacklists of file extensions, ensuring that affected users can still have the ransom messages delivered to them via a unique, dynamically generated TOR URL.
Notably, CW3 also makes use of blacklists to keep the malware from being activated in a number of countries primarily in Eastern Europe, providing some evidence that the attackers may be operating out of this region. 
Once CW3 has encrypted all identified files and checked in with command and control servers via encrypted communications, users are presented with a personalized ransom page that provides instructions on how to process a payment via Bitcoin as well as a countdown timer until the ransom is raised in price. 
The CTA correlated campaign identifiers with IP addresses, URLs, and Bitcoin wallets, to discover important infrastructure relationships. The high level of overlap of infrastructure seen in the following diagram is often seen in both legitimate and nefarious affiliate programs, allowing a set group or individual to control the infrastructure used by a particular malware family. This group often will provide malware samples to their customers, who are in turn responsible for the distribution of said malware samples. The customers will receive a percentage of the profits for every successful infection. 
CW3 uses compromised WordPress websites to proxy requests to a secondary IP address.  CTA found a total of 839 unique first-tier command and control (C2) instances have been found over the 4,046 analyzed samples. All of this, in addition to a sophisticated scheme of Bitcoin disbursements, makes the actors involved very difficult to track
This group, though, has been immensely successful in receiving money from victims that have had their machines infected by CW3.  Through careful examination of the backend financial network, CTA discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity. 
One variant alone involved with the ‘crypt100’ campaign identifier resulted in over 15,000 victims across the globe. These 15,000 victims alone would account for, at minimum, roughly $5 million in profit for the CW3 group.
CW3 is a complex family of malware that is backed by a very robust backend infrastructure that the CTA has tracked and detailed through its cooperative efforts. Companies may use any data included, as well as scripts and files provided on the Cyber Threat Alliance GitHub repository, which was created in order to generate protections against this threat. Additionally, a live tracker website has been created to provide the latest CW3 samples and C2 URLs to the general public. Security professionals are encouraged to explore the full report and repository to gain a better understanding of this ongoing and evolving family of threats.