Ransomware evolves, presents real danger to Australian businesses

A new drive-by campaign pushing CryptoWall 3.0 ransomware has hit Australians, but how does it compare with similar campaigns and why are we still seeing variants after two years?

In the last few months, a new variant of the all too prevalent Crypto-ransomware family, named CryptoWall 3.0 has been tracked targeting Australians.

The new variant follows the same pattern of behaviour that previous iterations did - that is, infecting a user’s computer through a phishing e-mail and encrypting files on a PC or network before demanding payment to dencrypt the files.

Webroot information security analyst, Daniel Slattery, said CryptoWall 3.0 is a polymorphic virus that has been around for the last six months and is part of a bigger Ransomware family that has been around since late 2013.

“Once on a system, it encrypts all documents and images on the computer and any shares on the network that it can access. To achieve this it uses standard RSA-2048 encryption techniques by hijacking legitimate Windows processes to avoid detection by anti-virus software,” he said.

Researchers at security firm, Webroot, explained that the new campaign is delivering a payload via redirects to Google Drive. These redirects are coming via the 'RIG Exploit Kit' which uses vulnerabilities in Adobe Reader, Flash Player, Internet Explorer, Java, and Silverlight.

The Google Drive page then downloads the CryptoWall dropper which is automatically executed, downloading and running CryptoWall 3.0 on a user’s PC.

A new wave of Cyber-crime

This is the first time cyber-criminals have consistently fallen back on the same branding for a number of years. In the past, these malicious actors would switch up the branding of malware and exploit kits to attempt to evade detection. It is testament to the success of the ransomware that these actors have continued to lean on a brand of malware for two years.

Slattery explained that the behavioural patterns of cybercriminals had changed dramatically over the past few years.

“A few years ago, we had a number of fake anti-virus programs where cyber-criminals would brand themselves that way, but they tended to change their name once every fortnight or so. This is the first time where it has been the same brand for such a long time,” he said.

“Cryptolocker and CryptoWall 3.0 is really just a branding exercise. They are using the same exploits and technology on the backend, but using the same name to get brand awareness like any other company does.

“Especially with ransomware-as-a-service now, anyone can start a ransomware campaign and then attach themselves onto some of the big names like Cryptolocker and CryptoWall to get more people to pay the ransom.”

“The behaviour of encryption malware has changed since we first saw Cryptolocker back in September of 2013,” said Webroot information security analyst, Armando Manago.

“Initially Cryptolocker used itself to encrypt personal documents, it now uses legitimate windows files to encrypt these documents [explorer.exe, svchost.exe etc.]. The Webroot Intelligence Network allows us to see specific patterns used in phishing email campaigns that spread the infections.”

Some of the commonly used words in these phishing emails include: INVOICE, SWIFT, DHL, FedEx, PAYMENT, DOCUMENT, FAX, SCAN, STATEMENT, ORDER, PAMPER, FORM, Australian Federal Police (AFP), Australia Post (AusPost), Resume, Delivery, Package, Australian Taxation Office (ATO) .

“I highly recommend putting a rule or blocking email attachments that contains the following words mentioned above,” Manago said.

As the malware landscape has matured, the effectiveness of campaigns such as CryptoWall 3.0 has led to more awareness and publicity for such attacks. Cyber-criminals are now looking to leverage that awareness in an attempt to get a better return on investment.

These mainstream marketing practices are just one example of how cyber-crooks are becoming more brazen in their attempts to defraud business, government and the public.

In response to this, Webroot has released five recommendations on how partners and their end user customers can mitigate the risk of a CryptoWall 3.0 attack. They include:

  • Be careful about where you browse online, don't click on links or pop-ups that look suspicious.
  • Don't open links or attachments in e-mails from unknown sources.
  • Keep up to date back-ups of personal and important documents, both Cloud based and physical copies.
  • Keep Windows up to date and ensure that the following software is on the latest version (if installed on the computer):
    • Java JRE
    • Adobe Reader
    • Internet Explorer
    • Flash Player
  • Install up to date Anti-Virus software and ensure that it is protecting your system.

Given the increasing sophistication of attacks, there has never been a more important time for partners to ensure they are offering the most effective solutions to secure client’s infrastructure from the network to every endpoint. Technology alone cannot solve the issue and simply reacting to breaches is no longer viable, too much damage is done in the interim.

Vigilance is the mantle partners need to adopt so they can stay ahead of the malware curve and protect customers. Partners must also ensure if a breach does occur, they are well positioned to mitigate and provide the best possible outcome to client.

During 2014, Webroot encountered tens of millions of instances of malware and potentially unwanted applications (PUAs), monitored billions of IP addresses and URLs, analyzed millions of new and updated mobile apps for malicious behavior, and studied major malware trends based on data from millions of endpoints. This report contains insights, analysis, and information on how collective threat intelligence can protect organizations from sophisticated attacks.

Read Brief

Does your Endpoint Security Measure Up?

In August 2015, PassMark Software® benchmarked Webroot SecureAnywhere® Business Endpoint Protection against seven competitors and found that Webroot installs faster, scans more quickly, and uses less memory. Read the complete 2015 Performance Benchmark report for the comprehensive results and findings, and to learn more about the 13 performance metrics that were measured.

Read Report