CyrptoWall 4.0 Released

Discussion in 'malware problems & news' started by itman, Nov 4, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Been following Cryptowall 4.0 discussion and findings over at: http://www.bleepingcomputer.com/for...lp-your-files-ransomware-support-topic/page-1

    This bugger appears to be especially targeted at business; just as has been recently predicted future ransonware targets will be. CW 4.0 appears to have this consistent common characteristic:

    So far, all e-mails have the same theme: 163[.]com sending domain, fake resume .ZIP attachment containing a (malicious) .JS file.
    Eset had a signature for the payload within a day of "in the wild" discovery.

     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This one uses %ProgramFiles% directory. Again, a HIPS rule that monitors and alerts to changes of registry start up keys would allow you to thwart this bugger:

    To stay persistent on the infected machine, the ransomware creates the following registry key, previously copying the original executable to the %ProgramFiles% directory:

    Key: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”
    Value: “pr” = "%ProgramFiles%\”${RANSOMWARE_PATH}
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If you can live this:

    This tool is great but it is not staying loaded on reboot… Local user does not have admin access to run install at startup every reboot. IS there a slolution?
    Same problem reported by Wilders users: https://www.wilderssecurity.com/threads/bitdefender-free-cryptowall-vaccine.371399/


     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.