Threat Research

New CryptoWall Variant In The Wild

By Peixue Li | December 18, 2015

UPDATE: Upon further analysis, we discovered that the malware described in this report is actually a variant of TeslaCrypt, not CryptoWall. We initially identified the malware as CryptoWall because "CryptoWall decrypter" is mentioned as the decryption tool for files encrypted by the ransomware in the payment web page.

However, we found that the version of the ransomware under investigation is 2.2. However, the latest CryptoWall version is 4.0, which was first detected in November.  TeslaCrypt has been disguised as CryptoWall since version 2.0. We are continuing to investigate the encryption algorithms to verify the identity of the ransomware but all evidence points to this being a TeslaCrypt variant. A code snippet showing the version number is linked here.

The signatures used in FortiGuard detection are independent of the etymology of the malware, so all protections that we implemented were valid and remain correct.

Thanks to multiple researchers who pointed out the error via Twitter even as we were digging further into the details ourselves.

CryptoWall, one of the most notorious and successful families of ransomware, continues to rear its head in various campaigns. The CyberThreat Alliance recently released a detailed report on CryptoWall Version 3, exploring how the ransomware has cost businesses and consumers hundreds of millions of dollars. Now a new variant has been spotted in the wild, this time targeting users via a phishing campaign that purports to be an invoice from a major office supplies retailer. In this post, we explore the anatomy and behavior of the new malware in a controlled setting.
 
On December 16, we received an email message that claimed to be an official and urgent notice about an unpaid invoice. While FortiGuard detection identified the message as spam, it also contained an MS Word attachment named “invoice_16431483_copy.doc” whose MD5 hash is 12e7137ef8344150a39dd730b29347b2. Figure 1 is a screen shot of the email message.
Figure 1. The SPAM Message
 
As you can see, it looks like a legitimate urgent notice about an unpaid invoice. But looking more closely at the sender address and language in the email, we realized it could be a phishing email. So we decided to look into the attached Word file. After quickly analyzing its structure, we identified the following VBScript code inside it (linked here for space and readability).

From the above VBScript code, we can see the string "http://iamthewinnerhere.com/80.exe". The code downloads an executable file from http://iamthewinnerhere.com/. The code also uses obvious evasion techniques like "Ms" + "xml2." + Mid("backhandedXMLHTTPnational", 11, 7) + Right("ceremoniousness", 0) to bypass the detection of dangerous function call. So it’s obvious that the Word file is malware. Please note that this Word file can be detected by FortiGuard as the virus name “WM/Agent!tr”.

When we open the file with Microsoft Word, as we expect, an executable file is downloaded and its MD5 hash is 410c3be0023dfa5578b94d52c16bdb79. This file can be detected by FortiGuard as the virus name “W32/Kryptik.EIQU!tr”. Continuing our analysis of the executable file’s behavior, we find that, upon execution, 190 file types on the computer are encrypted. The following is part of the log file that records what the executable file does. The original file “dbrecio.py” is encrypted with the extension “.vvv”.

Modifed    171E    C:\Python27\Lib\bsddb\dbrecio.py    
Renamed        C:\Python27\Lib\bsddb\dbrecio.py    
Modifed    171E +    C:\Python27\Lib\bsddb\dbrecio.py.vvv
    

The following code snippet shows that the malware encrypts files with the extension “.vvv”.  

...
.text:00413FEA  push    0FFFFFFFFh      ; MaxCount
.text:00413FEC  push    edi             ; Src
.text:00413FED  lea     edx, [ebp+NewFileName]
.text:00413FF3  push    1000h           ; SizeInWords
.text:00413FF8  push    edx             ; Dst
.text:00413FF9  call    _wcsncpy_s      ; original file name e.g. "aa.txt"
.text:00413FFE  push    0FFFFFFFFh      ; MaxCount
.text:00414000  push    offset a_vvv    ; ".vvv"
.text:00414005  lea     eax, [ebp+NewFileName]
.text:0041400B  push    1000h           ; SizeInWords
.text:00414010  push    eax             ; Dst
.text:00414011  call    _wcsncat_s      ; new encrypted file name e.g. "aa.txt.vvv"
.text:00414016  add     esp, 20h

... 

In each folder on the computer, another 3 files (HTML, TXT and BMP files, respectively) are also created. The following is the snippet of code that extracts and creates these 3 files (linked here for space and readability).

Figure 2 is the screen shot of the HTML file created by the malware. It tells the victims what happened and how to restore the original files. The files on victims’ computers are encrypted with the strong encryption algorithm RSA-4096. If the victims can’t get the private key, they have no way to decrypt the files. However, the private key is in the hands of the attackers. As we can see from the web page, the victims must follow the given instructions to obtain the key. 

The attackers provide specific links for victims to visit and suggest using the Tor browser to visit these links. As we know, the Tor browser uses the Tor network to communicate and can be used to hide the location and identity of users. The attackers are also using the Tor network in order to conceal their activities and, using that method, also generate a personal identification number (ID) to correlate with the generated private-key on their servers.

Figure 2. Statement for Ransom

If we then follow the instructions given by the attackers, the Tor link opens the following page in the Tor browser. A captcha is required to continue.

Figure 3. The 1st Web Page for “Decrypt Service”

After the captcha is entered, the following web page is loaded.

Figure 4. The 2nd Web Page for “Decrypt Service”

As we can see from this web page, the attackers ask 500 USD for the private key if the victims pay it before 12/24/2015. After that, the victims must pay 1,000 USD to get the private key. BitCoins are used to make the payment. They also mention that CryptoWall Decrypter is used to decrypt the encrypted files. So this ransomware should be a variant of CryptoWall.

By monitoring the network activities of the ransomware and using reverse engineering techniques (since these were encrypted in the original downloaded executable), we can see it connects to several IP addresses and domains, which we have excluded at this point until we can contact the domain owners about potential compromise.

The following is one of its HTTP requests and responses we captured. As you can see, some information gathered from the infected computer is submitted to the server graphicstreeme.com. The server acknowledges it.

Figure 5. Sample of Ransomware Communication

We will continue to monitor the distribution and behavior of this malware and share updates on our findings, as well as ensure that Fortinet products are actively protecting against this new CryptoWall variant.

Special thanks to our researchers Xiaopeng Zhang and Chris Navarrete who analyzed this ransomware.

Appendix

The following 190 file types are hard coded into the malware for encryption: (linked here for space and readability)