CryptoWall 2.0 ransomware is now capable of running 64-bit, researchers said.
In August, the Dell SecureWorks Counter Threat Unit reported that CryptoWall had infected nearly 625,000 systems between mid-March and August 24, encrypting over 5 billion files. Researchers determined the ransomware had helped its developers earn more than $1 million in the six-month period.
The first samples of CryptoWall 2.0 ended up found by researchers in October who said the malware authors had started using the Tor anonymity network to protect command and control (C&C) traffic.
The CryptoWall 2.0 dropper relies on multiple exploits for initial access to a system, said researchers at Cisco’s Talos Group. One of the samples analyzed by researchers exploited an old Windows vulnerability (CVE-2013-3660) to escalate its privileges.
In order to ensure it does not execute in a sandbox environment, the ransomware incorporates anti-VM and anti-emulation checks that must pass before the actual malware installs on a system. Both the dropper and the binary it downloads end up protected by several layers of encryption, Cisco said.
CryptoWall 2.0 creates registry entries for persistence, and disables system protections and various services (Windows Update, ERSvc, Security Center, Windows Defender, Background Intelligent Transfer Service, Windows Error Reporting Service) on the infected device, researchers said.
CryptoWall 2.0 can run 64-bit code directly from the 32-bit dropper. It does this by leveraging the WoW64 (Windows 32-bit on Windows 64-bit) subsystem to switch the processor execution context.
“[The analyzed sample] includes some 64 bit code (and an exploit DLL) directly in its main 32-bit executable. Although the main module is running in 32-bit mode, it is capable of executing all the 64-bit functions it needs. It accomplishes this by performing a direct Processor execution context switch,” Cisco researchers said in a blog post.
CryptoWall has taken the place of CryptoLocker, which law enforcement authorities shut down last summer as part of an operation targeting the Gameover Zeus malware.