Cryptowall 2.0 is ‘ransomware on steroids’, says Cisco

Cryptowall 2.0 has been described as ‘ransomware on steroids’ by Cisco Systems after the networking company discovered hackers using the Tor anonymity network to attack machines.

While the virus used traditional methods such as email attachments and exploit kits to infect systems, Tor was used to disguise traffic to the command and control (C&C) server which hackers use to lock up computers before demanding payment for its release.

Andrea Allievi and Earl Carter, security researchers at Cisco, said: "Ransomware is a growing threat to computer users. Variants continue to evolve in functionality and evasive capability."

"Just getting these complex samples to run in a sandbox can be challenging, making analysis more complicated and involved. Constant research is necessary to develop updated signatures and rules to combat these constant attacks."

Cryptowall was also found to be disrupting virtual machine and emulation checks to avoid detection by sandboxes, which are used to virtually run unfamiliar applications to see if they are malicious.

The malware dropper, which is used to install the main virus, also exploited a common vulnerability and exposure (CVE) to escalate privilege that can be found on 32-bit Windows operating systems from Vista onwards.

However the researchers found that the malware sample they analysed was capable of running 64-bit code from the 32-bit dropper.

"Identifying and stopping these new complex variants requires a layered security approach. Breaking any step in the attack chain will successfully prevent this attack," they said.

"Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity are critical to combating ransomware and preventing it from holding your data hostage."