Wednesday, November 4, 2015

Post #13 (Or... "All In All...")

Well, everybody, it is finally here!

No, not the latest iPhone.
No, not the latest Galaxy phone.
No, not the season premiere of your favorite television drama.

I am talking about CryptoWall 4.0.

Two days ago, one of our clients was hit with cryptoransomware that seemed similar to CryptoWall, and it claimed to be CryptoWall, but some of the features were not hallmarks of CryptoWall 3.0. However, after working closely with the fantastic folks over at BleepingComputer, it was finally confirmed that this is, in fact, yet another version of one of the most powerful and virulent cryptoransomware families to date.

I am not going to go into analysis here, the BleepingComputer folks handled that splendidly in the above-linked forum thread, but I will mention that I created an interactive batch script that will, in lieu of the helpful file list created in the registry by CryptoWall 3.0 and older, iterate over user-selected drives and scan them for ransom note files, then save the results to the current user's Desktop.

In addition, please review the following characteristics that set this version apart from its predecessors:

• There is no list of files located in the registry any more.
• Now, instead of just encrypting the files, the malware actually completely renames them, extension and all (e.g., “AccountsPayable.XLSX” becomes “h8agj3ajy9s.jms7h”).
• The ransom note files are now named “HELP_YOUR_FILES” instead of “HELP_DECRYPT”.

Here is your download; e-mail me with any suggestions, concerns, or questions. Bear in mind that anti-x vendors may soon start detecting and cleaning the ransom note files, which will render this potentially useless, but I wanted to get this tool out there regardless.

EDIT 11/05/2015-18:37 Eastern: I realized I had linked to the wrong file previously. The download for the batch script utility has been fixed. I have also tested it in an infected sandbox, and the outputted file was clean and extremely useful.

EDIT 11/10/2015-08:51 Eastern: I have had multiple people contact me for a sample of this malware, so I have now added it to the download section as well.

No comments:

Post a Comment