The evolution of ransomware: from CryptoLocker to CryptoWall

Presented at VB2015, Sept. 30, 2015, 2:30 p.m. (30 minutes).

The CryptoLocker ransomware was first discovered in late 2013. Millions of computers were infected, billions of files were encrypted, and millions of dollars worth of ransom was collected within several months. It caught a lot of researchers' attention at the time, and it was finally isolated in late May 2014. After a few months' silence, a new variant - CryptoWall - appeared in late 2014. Millions of computers were infected within five months, and CryptoWall is still active now. Both CryptoLocker and CryptoWall propagated as attachments or malicious links through email messages. Once the computer was infected, the targeted files were encrypted and a payload popped up to ask for a ransom. Sometimes files can be recovered after paying the ransom, but sometimes not. Compared to CryptoLocker, CryptoWall is stealthier as it uses the Tor network to host payment websites in order to avoid being tracked and discovered. It deletes the volume's shadow copies and disables the Windows Error screen at start up to increase the difficulty of recovering files. It also disables Windows Updates and error reporting in order to avoid detection.

In this presentation, we will compare these two variants in terms of their communication methods, the way they select target files, their encryption methods and how decryption instruction websites are managed over the Tor network. Last but not least, we will demonstrate how to recover encrypted files.


Presenters:

  • Christy Chung - Fortinet
    Christy Chung Christy Chung is a malware researcher in the AntiVirus MVRT department at Fortinet Inc. Canada. She joined Fortinet as a malware analyst in October 2011. Her main tasks include malware analysis, detection creation and tracking botnets. Her current research focus is on custom packers and botnets.
  • Neo Tan - Fortinet
    Neo Tan Neo Tan is the Manager in the MVRT team at Fortinet Inc. He is not only an experienced software developer but also a senior malware reverse-engineer. His research interests include exploits, custom packers, botnets, cryptography and machine learning.

Links:

Similar Presentations: