Just over a month ago, researchers at Heimdal identified Cryptowall 4.0 ransomware; the latest incarnation of the nasty malware first discovered in September 2014. Since then, the malware has been further developed, with the third version discovered in January 2015.
Now, Cryptowall 4.0 ransomware is threatening consumers and businesses alike. The latest version of the malware is even sneakier and more difficult to detect, and its file encryption goes much further. To make matters worse, Cryptowall 4.0 ransomware has been packed into the Angler exploit kit, making it easier for the vicious malware to be downloaded to devices.
The Angler exploit kit takes advantage of vulnerabilities in browsers, making drive-by downloads possible. Any organization that has not installed the latest browser and plugin updates is at risk of having its files encrypted.
Cryptowall 4.0 ransomware – The malware keeps on evolving to evade detection
Last month, the Cyber Threat Alliance released new figures on the cost of Cryptowall infections. The criminals behind the malware have so far managed to extort $325 million from victims around the world. The latest version of the ransomware will see that extortion will continue. The bad news is, the latest version is likely to result in a much higher rate of infection. The money being ‘requested’ has also increased. Victims are no longer being asked for $300 to unlock their files. They are being urged to pay out $700 to unlock their files and keep their systems protected.
Victims are given less choice with the latest version of the malware. Not only will their files be encrypted, in order to make it harder for victims to restore encrypted files from backups, the latest version also encrypts filenames. The aim is to confuse victims even more. It is, after all, hard to restore files if you don’t know which files need to be restored.
Angler exploit kit used to infect computers with Cryptowall 4.0 ransomware
The Angler exploit kit is particularly nasty. First of all, it is not only Cryptowall 4.0 ransomware that will be installed. Visitors to malicious websites will have a host of malware installed on their computers. The network security threat is therefore considerable.
First of all, victims have to deal with Pony. Pony is installed and gallops around gathering information. It will steal login credentials and transmit the data back to the hacker’s command and control center. Attackers are looking for more than just a $700 ransom. What they are really after is access to content management systems and web servers.
A redirect will result in Angler being dropped, which will identify security vulnerabilities that can be exploited. Angler can incorporate new zero-day vulnerabilities and has been designed to be particularly difficult to detect. Angler will then install Cryptowall 4.0 ransomware.
Greater need to install a powerful web filter to prevent infection
Unfortunately, the use of the Angler exploit kit means end users do not need to download and install Cryptowall 4.0 ransomware manually – or open a malicious email attachment. Drive-by downloads will install the malware automatically if the user visits a website infected with malicious code.
Organizations can spread the news of the latest incarnation of Cryptowall to the workforce, and issue instructions to end users to instruct them to take greater care. However, since casual Internet surfing could result in computers being infected, greater protection is required.
Some end users will take risks and will ignore instructions. It is therefore a wise move to install software solutions to minimize the risk of infection by drive-by downloads. The cost of doing so will be much lower than the cost of dealing with multiple Cryptowall 4.0 ransomware infections.
WebTitan web filtering solutions are an ideal choice. They offer system administrators a host of powerful controls to prevent end users from visiting malicious websites and unwittingly infecting computers and networks. The software offers highly granular controls, allowing individuals or groups to have Internet access controlled. Protection against malware can be vastly improved without impacting critical business processes. WebTitan allows sys admins to block web adverts from being displayed, limit access to social media networks and certain website types, as well as sites known to contain malware and malicious code.
The inclusion of Cryptowall in the Angler exploit kit makes the installation of a web filtering solution less of an option and more of a necessity.
Essential security controls to reduce the risk of a Cryptowall 4.0 infection:
Conduct regular backups of your data – If you are infected, you must be able to restore all your files or you will have to pay the ransom.
Never store usernames and passwords on a computer – These can be read and transmitted to hackers.
Do not open unfamiliar email attachments – Even if an attachment looks safe, unless you are 100% sure of its authenticity, do not download or open it.
Install a spam filtering solution – make sure all email spam is quarantined and not opened.
Keep anti-virus solutions up to date – Virus definitions must be 100% up to date. Ensure that an AV solution is used that will detect Cryptowall 4.0 ransomware.
Install patches as soon as they are released – Your system must be kept up to date. It will be scanned for vulnerabilities that can be exploited.