cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 1 of 12

Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

Sep 29, 2014 8:50 AM

The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements....

Malvertising campaign delivers digitally signed CryptoWall ransomware | PCWorld

It would seem that the CryptoLocker block rules are not stopping CryptoWall from infecting systems...Anyone have any luck in stopping CryptoWall?

1 Solution

Accepted Solutions
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

There was only one file that made it through, that's all it took to encrypt.  No accusations, a simple FYI.

created by iwray on Oct 7, 2014 7:48 AM, last modified by iwray on Oct 7, 2014 7:48 AM

VirusScan and Host Intrusion Prevention proactive rules for the endpoint to effectively prevent the installation and/or payload of current as well as evolving variants of Cryptolocker/CryptoWall as well as some relevant background information about these threats.

11 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

Moved this provisionally to Web Threats as a better spot for it.

Peter

Moderator

Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 3 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

This is a Web Threat along with a VSE Non-Detection

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

tao wrote:



This is a Web Threat along with a VSE Non-Detection



What's your evidence of that? Virustotal indicates it's totally detected by VSE...?

Here's the link if anyone else wants to track this malware - https://www.virustotal.com/en/file/048321a1ea3a7c04a3dceac523ccfd7f61561049535f7d4c3776a3a9d1fa3510/...

Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 5 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

Other then the two articles posted above, along with this one:

Posted at 30 September 2014

http://www.myce.com/news/crypto-wall-ransomware-distributed-in-malicious-advertisements-72879/?PageS...

"The version distributed on the Indian website was signed with a valid certificate which has several benefits for cybercriminals. The download looks legitimate which gives users the impression they are installing a safe application, a valid certificate can also be used to circumvent security software and system security settings. When the ransomware hit the websites none of 55 virusscanner of the online scan service VirusTotal recognized the malware."

And uploaded to a suspicious file from a system that was hit with CryptoWall to McAfee; they are creating an extradat to be released.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 6 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

Your suspicious file must be something other than the topic of this article - perhaps something additional dropped after the original infection? If it had the same hash as the file mentioned in the original article, it would not have been allowed to execute - but thanks for sending it over so we can add it to the dataset.


Re the claim When the ransomware hit the websites none of 55 virusscanner of the online scan service VirusTotal recognized the malware. It would be nice to know EXACTLY when it hit those servers - because then we could state how long it took to get protection. All we know, is as of now, most vendors catch this particular sample.


You also can't infer that a failure to detect according to Virustotal is a failure to detect in the field - VSE is much more than Virustotal, it has a lot more tech at its disposal than plain signature checking. Most McAfee customers use much more than VSE alone to secure themselves.

Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 7 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

The "file" in question was a payload for CryptoWall.

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 8 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

I don't disagree - but two different payloads with different signatures are different files, even if they serve the same purpose. You can't accuse a vendor of non-detection, when the file you mention via link is indeed detected.

And as I mention, Virustotal only does the most basic of checks - they just use command line scanners. They don't have the benefit of all the behavioural detections built into modern AV products, so just because Virustotal gives a non-detect, does not mean your endpoints are at risk. It just means the threat is not explicitly identified.

Is the unique version you have now detected on virustotal though?

Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

There was only one file that made it through, that's all it took to encrypt.  No accusations, a simple FYI.

created by iwray on Oct 7, 2014 7:48 AM, last modified by iwray on Oct 7, 2014 7:48 AM

VirusScan and Host Intrusion Prevention proactive rules for the endpoint to effectively prevent the installation and/or payload of current as well as evolving variants of Cryptolocker/CryptoWall as well as some relevant background information about these threats.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 10 of 12

Re: Malvertising campaign delivers digitally signed CryptoWall ransomware

Jump to solution

Locking this thread as it is over 3 years old, and has been marked as 'Correctly Answered'.

Cliff
McAfee Volunteer
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.