The latest wave of Cryptowall 2.0, a variant of malicious software known as ransomware, is making the rounds recently. Unfortunately for users, it comes packed with even more advanced methods to increase its ability to affect computers.
For a brief bit of background, malware like Cryptowall 2.0 will typically enter a user’s machine from an email attachment, a vulnerability in a user’s browser, or through inadvertent downloads. One of the more popular methods of sending the newest variant of Cyrptowall 2.0 is through an email that purports to be about “New Outlook Settings” (Typical Subject: “Important – New Outlook Settings”) coming from the email address “Administrator@outlook-us.com.”
Once a ransomware virus like Cryptowall 2.0 infects a computer, it will encrypt its files (including those on mapped network drives) and hold them for “ransom,” asking users to pay Bitcoin amounts of $100-$500 to recover their data.
So, what makes this latest variant of Cryptowall 2.0 even more effective? Mike Young, Proactive Services Specialist at Miles Technologies, says that this variant utilizes a Windows vulnerability to gain increased privileges on the computer it infects. According to Young, when malware enters the user’s machine, it is typically restricted to only certain areas of the computer due to permissions. But this latest wave doesn’t stop there.
“One of the vulnerabilities being used by the newest variant of Cryptowall allows malware that would normally lack access all areas of a user’s computer to gain full control over the machine prior to encrypting,” Young says. “The more privileges the malware has, the more it can damage.”
This vulnerability was patched by Microsoft in 2013, so ensuring that Windows updates are regularly performed on your computer is highly important for security. Young says that it is equally important to note that the Microsoft patch for this vulnerability does not mean your computer will be protected against variants of Cryptowall. It simply demonstrates how seemingly lesser value software vulnerabilities can be combined to create larger problems.
In addition to being able to elevate privileges on a computer, this latest variant of Cryptowall 2.0 also has built in defense mechanisms to prevent it from being analyzed by security researchers who try to determine the source from which it originated.
Security and malware researchers utilize VMs (virtual machines) to emulate environments and actually analyze how malware works. This enables the industry to understand how better to defend against a threat. Malware developers realize this and have attempted to counteract it in their viruses.
“A lot of modern malware tries to detect if it is run in a virtual environment and will simply remove itself – or do something else—if it detects it since most people would not be running virtual machines for their desktops,” Young says.
An additional item worth monitoring is the potential for the newest wave of Cryptowall to infect modern Mac OS’s. Some experts are reporting that they believe the ransomware can infect Mac OS X. While this has not been confirmed, it is definitely worth monitoring as previous variants of the virus were exclusive to Windows OS’s.
As of now, this new wave of Cryptowall 2.0 is still entering computers in similar ways to which its predecessors did. In addition to maintaining proper external backups, users need to be on high alert for suspicious email attachments and download links or ads (“malvertisements”).
Have any questions about the latest wave of Cryptowall 2.0 or what you can do to protect yourself? Please share your thoughts in the comments below.