Ransomware 101 - CryptoLocker and CryptoWall

Ransomware 101

CryptoLocker and CryptoWall

Michael Schneider
by Michael Schneider
time to read: 16 minutes

Every visitor of the World Health Organization’s AIDS conference in 1989 who got a floppy diskette titled AIDS Information Introductory Diskette from biologist Joseph L. Popp was in for a surprise: After they read the disk for the first time and booted their computer 90 more times, they got to see the following message as opposed to the regular DOS prompt:

ATTENTION I have been elected to inform you that throughout your process of :collecting and executing files, you have accdientally (sic) ¶HÜ¢KΣ► [PHUCKED] :yourself over: again, that's PHUCKED yourself over. No, it cannot be; YES, it CAN be, :a √ìτûs [virus] has infected your system. Now what do you have to say about that? :HAHAHAHAHA. Have ¶HÜÑ [PHUN] with this one and remember, there is NO cure for AIDS.

Apart from this warning, users were informed that they are to pay a company named PC Cyborg Corporation a license fee of 189 USD, payable to a PO Box in Panama. If the user did not comply, all the files on system partition C: would be hidden and the file names encrypted.

For users, the story has a happy end. Joseph L. Popp was arrested but never convicted on the grounds of insanity. Nowadays, he runs a butterfly conservatory with his daughter. Jim Bates, a IT forensics expert from the UK, published a program in Virus Bulletin Januar 1990 that would decrypt all the files.

AIDS or PC Cyborg Trojan is a Trojan horse that is known as the first ever malware of the Ransomware type. The term is comprised of the terms ransom and ware, a common suffix when naming computer parts or programs. The term describes malware that manipulates data on a computer in a way that the user can neither access nor use it anymore. To reverse this process, the user has to pay a fee.

This Labs offers insight into the functionality of current Ransomware called CryptoWall and offers advice for prevention as well as for after infection.


CryptoWall’s origins lie mainly in a malware named CryptoLocker. Sometimes, CryptoWall is still called CryptoLocker even though they do not share any similarities when it comes to the technology used to make them. They do share functionality of encryption and ransom notes. It is unknown who launches these attacks. Suspicion has it, though, that it’s a party or parties unknown operating in the geographical area that used to be the soviet union.

CryptoLocker was first observed on September 5th, 2013. It was spread using e-mail attachments and a Botnet named Gameover ZeuS. After infection, CryptoLocker used the RSA Public Key Method to encrypt data on local folders and on network drives. The key length was 2048 Bit and the Private Key could be found on a Command and Control (C&C) server. The public key was the only thing that got stored on the client computer.

CryptoLocker looked for files with the following endings:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

After searching and finding these files, CryptoLocker encrypted them, asking for a ransom of 400 USD, payable in prepaid cash cards or Bitcoin. Symantec estimates that approximately three percent of all affected users paid ransom.

In May 2014, coordinated effort by the United States Department of Justice, the FBI, Interpol as well as several firms in IT security joined forces for Operation Tovar that targeted and took out the Botnet Gameover ZeuS, disrupting the communication between CryptoLocker client and its C&C server. The companies Fox-It and FireEye were able to find the database with the RSA private keys and compiled an online tool called Decrypt CryptoLocker that could be used to decrypt the files. The page is out of service.

CryptoWall 3.0 (Crowti)

CryptoWall’s successor had some advantages but didn’t make the splash that its predecessor and CryptoWall 3.0 – also known as Crowti – made. The third version appeared in January 2015 and had a number of new and improved features. Version 2.0 introduced defense mechanisms such as recognizing the use of a virtual machine (VM). If the malware detects the use of a VM, it deletes the executable file itself and does not infect the VM. This apparently serves to make the analysis of the malware code more difficult.

Communication with the C&C servers is encrypted using RC4 and I2P protocols are used. These measures lead to communications by CryptoWall being harder to detect. In addition to that, there are versions of the malware that have a digital signature which elevates their trust in computer systems.

The demand for ransom has been adjusted. CryptoWall 3.0 asks for 500 USD. The demand doubles after seven days. In order to pay the ransom, the victims have to access a site in the TOR network. The ransom note is being stored on the victim’s desktop as well as other places in a variety of formats.

CryptoWall 3.0 was spread using a fake e-mail campaign using JPMorgan Chase & Co. as an address. This mail contained a RAR archive in its attachment and sometimes even a Microsoft Compiled HTML Help (CHM) file. After opening the file, the most recent version of CryptoWall is being downloaded, executed and encrypts the files that match its find settings. All encrypted files get the ending .ccc.

CryptoWall 3.0: Encrypted Files - Click to Enlarge

The Cyber Threat Alliance estimated CryptoWall 3.0’s revenue to be 325 million USD.

CryptoWall 4.0

The fourth version of CryptoWall appeared in the beginning of November and saw new improvements. There were further measures to recognize anti virus software and communications to the C&C server was improved. Apart from encrypting file extensions, the file names themselves are encrypted as well, making decryption even more difficult.

CryptoWall 4.0 was spread using a JavaScript File that was attached to an e-mail, that – in turn – downloads the malware. Interesting about the fourth version is that CryptoWall detects the location of the computer by recognizing the keyboard layout, according to Fortinet. When it recognizes certain countries such as Russia or the Ukraine, no infection occurs.

The ransom note is stored in three different file formats in places such as the user’s desktop. These files are:

The text of the ransom note was edited a bit and the ransom rose to 700 USD:

CryptoWall 4.0: HELP YOUR FILES - Click to Enlarge

Security researcher Michael Fratello offers information as well as a current sample of CryptoWall 4.0 on his website. I have downloaded the file analitics.exe and tested it in a testing environment.

This environment is a Windows domain with a Windows 8.1 Client. The user has some documents saved locally and additional access to a network share. On this share Shadow Copies are activated. In addition to that, there was a restore point established on the client before running the malware.

After the EXE is executed, CryptoWall injects itself into the explorer.exe process and deletes the original file. Copies of the EXE file are being stored in C:\Windows\Prefetch as well as other locations. After that, CryptoWall commences to encrypt data and posts the ransom notes to the desktop and other directories.

CryptoWall 4.0: Verschlüsselte Dateien - Click to Enlarge

The screenshot shows a PDF file that was placed in the directory after the first execution of CryptoWall 4.0. It shows that there is no process running the background that keeps on encrypting new files. It is possible, though, that the ransomware inspects the drives from time to time repeatedly to encrypt new files.

In a first test, where the user was a member of the group Domain Users and didn’t possess any administrative rights, only local files were encrypted. The network drive was not affected and the established restore point was still in existence. The restore point only restores system files, the files themselves remain encrypted.

In a second test, the same user was added to the group Domain Admins. Again, only local files were encrypted, but this time the restore point was deleted and CryptoWall used the Windows program vssadmin to delete shadow copies.

CryptoWall 4.0: vssadmin.exe - Click to Enlarge

The CryptoWall executable was explicitly run as administrator. Thanks to the restrictive settings of the User Account Control that separates user and administrative accounts, the executable did not have access to the network shares of the user.

In a third test, the separation was removed and the network share was accessible by administrative users. Not only were the local files encrypted but also the files on the network share. Only files the user could access were affected. CryptoWall did not attempt to gain elevated administrator privileges even though it could have done that with the permissions of a Domain Admin. There was no earlier version of encrypted files to roll back to available anymore as they had been deleted by the software. The shadow copies of the higher-level domains were still available and restoring would still be an option.

Based on the tests I’ve conducted, I conclude that CryptoWall 4.0 is primarily aimed at private users working with local admin rights. By deleting restore points and shadow copies, the malware makes recovering data difficult and if the data is not available as an offline backup, there’s very little hope that it will ever be available again. Unless the user pays the ransom.

By being able to detect connected network shares CryptoWall 4.0 can encrypt data that is stored outside of the computer. This can affect cloud services such as Dropbox if they’re synched to the computer. In all tests, I did not detect any attempts at enumerating further shared files, even though such a functionality would be easy to implement. This would make the spread and damage potential of the malware much larger.

Prevention and Behaviour After Infection

I am dividing this part into two segments: private users and business users. The reason for this division is the fact that these two user groups have vastly different tools at their disposal. Therefore, a universal answer cannot be given here.

Private Users

A main line of defense for private users is the offline backup of all data that they would like to be able to recover. This is the most undervalued point of defense because very few private users regularly back up their data. In case of a CryptoWall-infection or another malware a backup on an external drive is worth its weight in gold as it enables an easy recovery of data and thus a return to normal computer use. Updates play an important roles as a preventative measure for private users. Installing regular updates for the operating system as well as the programs that are regularly used. Also, a regularly maintained anti virus software helps. But note that an up to date anti virus solution is not a guarantee for security as it only recognizes malware that has been discovered and added to its database. When a new version of malware comes out, there is a chance that the anti virus software does not immediately recognize it. Therefore it’s important that the user does not click on every file or link indiscriminately and executes every file. It pays off to work with a user account that does not have administrative privileges. Or at the very least, leave the User Access Control (UAC) on its default settings: Default – Always Notify.

If, despite all precautions, the computer ends up being infected: Don’t panic. Hasty actions might be detrimental to recovery of data. The infected computer should – as a first measure – be immediately isolated from the network/internet in order to contain the spread of the infection to other computers network shares or cloud services. As soon as a computer is infected with CryptoWall, the users as well as the administrators have very few options.

Removing the malware from the computer is only the first step. The data remains encrypted. Until now, there’s no way to decrypt the data without the Private Key. Because of the key length of 2048 bit, a successful brute force attack is nearly impossible. The only way is to re-install the system in order to get data back. If data on cloud services such as Dropbox is affected, some – such as Dropbox – offer versioning. With this feature, old data states can be recovered.

Business User

Similar to private users, business users have a central tool at their disposal: backups. In the business world, this includes proper documentation of the process as well as regular tests to see if the restore points work. It pays off to have an offline solution here as well, because some ransomware makes Volume Shadow Copies useless or unusable. Countermeasures are usually layered:

The first layer is control over incoming data via web or e-mail. All data should be checked for malware and – in case of e-mail – a restrictive ruleset for attachments should be implemented.

The second layer concerns the client computer. Just as with private users, there need to be regular updates and an anti virus solution needs to be implemented. In addition to that, it’s good practice to not have regular users be outfitted with administrative rights. Another step would be to implement a whitelist for allowed applications. AppLocker can be used for this. This ensures that only permitted applications are executed.

On the server side, mainly the file server, it pays off to have a restrictive permission scheme so that users can only access the data necessary for their daily tasks and can’t access the entire data storage in case of infection. Similarly, it is worth checking all data drives for known filenames associated with ransomware infection such as HELP_YOUR_FILES* in order to detect infected users. If a computer is discovered to be infected, immediately isolate the machine, wipe its hard drive and re-install everything needed for the user to work with. This prevents the ransomware from spreading.

These proposed technical measures offer basic protection against malware. Still, it is essential that each and every user has the awareness of the dangers of ransomware and acts accordingly. This saves quite a bit of trouble, effort and ultimately prevents the loss of data.

About the Author

Michael Schneider

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)


Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

HardeningKitty Score

HardeningKitty Score

Michael Schneider

HTTP Response Header

HTTP Response Header

Michael Schneider



Michael Schneider

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here