CryptoWall 3.0: Ransomware returns with I2P Network

March 17, 2015

The Dell Sonicwall Threats Research team observed Cryptowall bot family named GAV: Cryptowall.K and Cryptowall.L actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network.

The Malware is the first CryptoWall variant that uses I2P anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

Infection Cycle:

Md5: 6c3e6143ab699d6b78551d417c0a1a45, 47363b94cee907e2b8926c1be61150c7

The Malware adds the following files to the system:

  • C:2c4284242c428424.exe [Executable file]

  • %Appdata% 2c428424.exe [Executable file]

  • %Userdata% Start MenuProgramsStartup2c428424.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c42842

    • C:2c4284242c428424.exe

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c428424

    • C:Documents and SettingsAdministratorApplication Data2c428424.exe

The malware it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry and after while terminates its own process.

Also disable system restore after while.

CryptoWall encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. It demanded victims pay the equivalent of US$500 in Bitcoin virtual currency in order to receive the decryption key that allows them to recover their files.

After Malware encrypted all your personal documents and files its shows you following web page:

Command and Control (C&C) Traffic

CryptoWall has communication over I2P anonymity networks, Uses requests to I2P Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cryptowall.K (Trojan)

  • GAV: Cryptowall.L (Trojan)

SonicWALL Application Control can prevent I2P tunnels on your network via the following signatures:

  • 5 Encrypted Key Exchange -- Random Encryption (Skype,UltraSurf,Emule)
  • 7 Encrypted Key Exchange -- UDP Random Encryption(UltraSurf)
  • 10817 I2P -- HTTP Proxy Access 1 [Reqs SID 5 & 7]
  • 10817 I2P -- HTTP Proxy Access 2 [Reqs SID 5 & 7]
  • 10817 I2P -- HTTP Proxy Access 3 [Reqs SID 5 & 7]