UPDATE: Upon further analysis, we discovered that the malware described in this report is actually a variant of TeslaCrypt, not CryptoWall. We initially identified the malware as CryptoWall because "CryptoWall decrypter" is mentioned as the decryption tool for files encrypted by the ransomware in the payment web page.
However, we found that the version of the ransomware under investigation is 2.2. However, the latest CryptoWall version is 4.0, which was first detected in November. TeslaCrypt has been disguised as CryptoWall since version 2.0. We are continuing to investigate the encryption algorithms to verify the identity of the ransomware but all evidence points to this being a TeslaCrypt variant. A code snippet showing the version number is linked here.
The signatures used in FortiGuard detection are independent of the etymology of the malware, so all protections that we implemented were valid and remain correct.
Thanks to multiple researchers who pointed out the error via Twitter even as we were digging further into the details ourselves.
From the above VBScript code, we can see the string "http://iamthewinnerhere.com/80.exe". The code downloads an executable file from http://iamthewinnerhere.com/. The code also uses obvious evasion techniques like "Ms" + "xml2." + Mid("backhandedXMLHTTPnational", 11, 7) + Right("ceremoniousness", 0) to bypass the detection of dangerous function call. So it’s obvious that the Word file is malware. Please note that this Word file can be detected by FortiGuard as the virus name “WM/Agent!tr”.
When we open the file with Microsoft Word, as we expect, an executable file is downloaded and its MD5 hash is 410c3be0023dfa5578b94d52c16bdb79. This file can be detected by FortiGuard as the virus name “W32/Kryptik.EIQU!tr”. Continuing our analysis of the executable file’s behavior, we find that, upon execution, 190 file types on the computer are encrypted. The following is part of the log file that records what the executable file does. The original file “dbrecio.py” is encrypted with the extension “.vvv”.
Modifed 171E C:\Python27\Lib\bsddb\dbrecio.py
Modifed 171E + C:\Python27\Lib\bsddb\dbrecio.py.vvv
The following code snippet shows that the malware encrypts files with the extension “.vvv”.
.text:00413FEA push 0FFFFFFFFh ; MaxCount
.text:00413FEC push edi ; Src
.text:00413FED lea edx, [ebp+NewFileName]
.text:00413FF3 push 1000h ; SizeInWords
.text:00413FF8 push edx ; Dst
.text:00413FF9 call _wcsncpy_s ; original file name e.g. "aa.txt"
.text:00413FFE push 0FFFFFFFFh ; MaxCount
.text:00414000 push offset a_vvv ; ".vvv"
.text:00414005 lea eax, [ebp+NewFileName]
.text:0041400B push 1000h ; SizeInWords
.text:00414010 push eax ; Dst
.text:00414011 call _wcsncat_s ; new encrypted file name e.g. "aa.txt.vvv"
.text:00414016 add esp, 20h
In each folder on the computer, another 3 files (HTML, TXT and BMP files, respectively) are also created. The following is the snippet of code that extracts and creates these 3 files (linked here for space and readability).
Figure 2 is the screen shot of the HTML file created by the malware. It tells the victims what happened and how to restore the original files. The files on victims’ computers are encrypted with the strong encryption algorithm RSA-4096. If the victims can’t get the private key, they have no way to decrypt the files. However, the private key is in the hands of the attackers. As we can see from the web page, the victims must follow the given instructions to obtain the key.
The attackers provide specific links for victims to visit and suggest using the Tor browser to visit these links. As we know, the Tor browser uses the Tor network to communicate and can be used to hide the location and identity of users. The attackers are also using the Tor network in order to conceal their activities and, using that method, also generate a personal identification number (ID) to correlate with the generated private-key on their servers.
Figure 2. Statement for Ransom
If we then follow the instructions given by the attackers, the Tor link opens the following page in the Tor browser. A captcha is required to continue.
Figure 3. The 1st Web Page for “Decrypt Service”
After the captcha is entered, the following web page is loaded.
Figure 4. The 2nd Web Page for “Decrypt Service”
As we can see from this web page, the attackers ask 500 USD for the private key if the victims pay it before 12/24/2015. After that, the victims must pay 1,000 USD to get the private key. BitCoins are used to make the payment. They also mention that CryptoWall Decrypter is used to decrypt the encrypted files. So this ransomware should be a variant of CryptoWall.
By monitoring the network activities of the ransomware and using reverse engineering techniques (since these were encrypted in the original downloaded executable), we can see it connects to several IP addresses and domains, which we have excluded at this point until we can contact the domain owners about potential compromise.
The following is one of its HTTP requests and responses we captured. As you can see, some information gathered from the infected computer is submitted to the server graphicstreeme.com. The server acknowledges it.
Figure 5. Sample of Ransomware Communication
We will continue to monitor the distribution and behavior of this malware and share updates on our findings, as well as ensure that Fortinet products are actively protecting against this new CryptoWall variant.
Special thanks to our researchers Xiaopeng Zhang and Chris Navarrete who analyzed this ransomware.
The following 190 file types are hard coded into the malware for encryption: (linked here for space and readability)