Crypto-ransomware continues to grow and mutate. Yet another family popped up the other day called CoinVault. Like Cryptographic Locker this one is a .NET application although not as advanced as Cryptolocker or Cryptowall, but it apparently does its job reasonably well.
We were wondering recently are there any trends in crypto-ransomware, how does the threat evolves over time and is there any connection between the gangs? So we wrote a report that summarizes our analysis of six ransom Trojans:
- Dirty Decrypt
- CryptoWall / CryptoDefense
- Critroni/CTB Locker
- Cryptographic Locker
We looked at nearly 30 samples and here are the main findings of the research:
- The latest families target a huge number of enterprise file formats from documents and images to CAD files and financial data instead of just common consumer file types.
- Crypto-ransomware uses every possible attack vector to get into victim machines.
- Samples analyzed use fairly complex obfuscation and covert launch techniques that allow them to evade detection on early stages of infection.
- Communication with command and control servers is encrypted and extremely hard to spot in the network traffic.
- Cryptography used in the samples analyzed is for the most part implemented correctly and encrypted files are impossible to recover without a key.
- All recent ransomware accepts payments in Bitcoins only. Apparently there’s a good way of laundering BTC or maybe even a service on the black market.
- Crypto-ransomware matures and evolves from version to version, additional features are added to ensure that files are impossible to recover (e.g. deleting shadow copies) and flaws are getting fixed.
This threat won’t go away, as long as people pay the ransom, new ransomware families will appear. For the detailed analysis of the aforementioned families read the full report.
Bromium customers should not worry about this threat since we’re able to isolate crypto-ransomware and prevent it from accessing the file system. If a crypto-enabled piece of malware successfully executes inside the micro VM LAVA will produce an attack graph that looks like this:
LAVA provides full details of the ransomware activity, the vector used to attack the system and the location of the attackers C&C server. We will continue to track developments with these types of attacks and will provide additional information as it becomes available.