Nvint Has Successfully Reverse Engineered CryptoWall Ransomware

Nvint Has Successfully Reverse Engineered CryptoWall Ransomware

Ransomware is a type of malicious software designed to block access to a computer
system until a specific sum of money is paid. Some forms of ransomware encrypt files on the hard drive, while others simply lock the system until the ransom is paid.

In April of this year, the Michigan attorney general’s office issued a warning about ransomware,

“These Ransomware criminals demand payment of the ransom by Bitcoin or MoneyPak, two essentially untraceable payment methods. Once payment is confirmed, the program promises to decrypt the encrypted files. However, some victims have reported that their files were not decrypted even after paying the ransom.”

Early this week, members of the Nvint security team were called to a client site whose network had been compromised and infected with the CryptoWall Decrypter Ransomware, which meant that critical data was not accessible. After 18 hours, the team was able to reverse engineer the ransomware and successfully recover the client’s data.

Wyatt Roersma, the Incident Response Team lead for Nvint, managed the project,

“The first step was to gather as much information as possible about the network and the extent of the compromise. This was accomplished by installing our Intrusion Detection Analytics (IDA) security appliance,” according to Roersma.

The IDA allows us to monitor, capture and analyze network traffic. With this information, the team was able to isolate the issue and determine how the network was breached.

Through reverse engineering, the Nvint team identified a major flaw in CryptoWall and the method used to delete the data which allowed the team to use file carving techniques to recover the data.

“This was a big win for our client and Nvint. As far as I know, we are the first company to successfully reverse engineer CryptoWall in order to find the flaw which allows file recovery,” said Roersma.

“Unfortunately, in this day and age, you can’t keep intruders out of your network; however you can detect them once they infect a system. To mitigate damage, you must respond quickly and efficiently; this is what we do with the IDA security service.”

About CryptoWall Decrypter

The malware, known as CryptoWall Decrypter, is a new version of the malware CryptoLocker and CryptoDefense which first surfaced in Sept. 2013. The malware encrypts files with a malicious payload. Victimized users lose their ability to access data.

When activated, CryptoWall encrypts certain types of files stored on local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers.

About Nvint Proven Technology Solutions

Nvint, Inc. specializes in IT Security, Infrastructure and customized Cloud Solutions. The Nvint Security Team assists clients with intrusion protection, incident response, file recovery, network re-design and monitoring. Since 2002, Nvint has been providing proven technology solutions from its headquarters in Grand Rapids, Mich.

Related News

Bitcoin Ransomware CryptoWall is Back With Improvements

Bitcoin ransomware has been a new type of malware attacking computers and networks all over the world. By decrypting all important file extensions, and forcing the device owner to pay a ransom in bitcoin to decrypt the files, assailants have found a new way to abuse the popular digital currency for nefarious acts. Even though it looked like this threat was “under control” for a brief while, a new version of CryptoWall is making the rounds. Unfortunately, the latest version of the CryptoWall ransomware has not removed the option for infected users to pay in Bitcoin. In fact, several....

Bitcoin Ransomware Attacks Involving Cryptowall Originated from the Same Place - Report

Ransomware and Bitcoin make a great combination, but for all the wrong reasons. There was a sudden increase in the number of ransomware attacks earlier in this year which continued into the last few months. While these attacks continue even today, most of them usually go unreported in the media. Cryptowall is one of the widely used malware to launch ransomware attacks. The malware has been so good at doing its job that even the FBI has given up on it. What the guys behind it are using it for is a completely different story though. Who is behind all these ransomware attacks involving....

Losses in Bitcoin Ransomware Cryptowall Reach $18M

The Federal Bureau of Investigation reported that the the total losses generated by the bitcoin ransomware called Cryptowall have reached $18 million. The FBI's Internet Crime Complaint Center stated that the agency received 992 complaints related to Cryptowall between April 2014 and June 2015. Bitcoin has typically been used by hackers as their means of demanding ransom from companies they've attacked with their malware. In Brisbane, a company has reportedly paid this bitcoin ransom but the hackers refused to back down with their demands. Bitcoin Ransomware Attacks. Typically these....

Ransomware Racket Nets Developers $325 Million in Bitcoin: Report

The malware authors making up the cyber gang behind the intrusive Cryptowall 3.0 ransomware, a strain of malware, have raked in an estimated $325 million from hundreds of thousands of victims around the world by demanding ransom payments in Bitcoin. The ransomware has been active since January, 2015. A cybercriminal group that develops and deploys Cryptowall 3.0 may have gathered millions of dollars of ransom in Bitcoin in this past year alone, a comprehensive study points out. Cryptowall version 3.0 the latest variant of a ransomware that is among the most effective tools used by....

Bitcoin Ransomware Hits Sheriff's Office

Dickson County Sheriff's Office said they had to pay a ransom - $500 in Bitcoin - to regain access to thousands of their case files which has been encrypted by a computer virus, News Channel 5 Network reports. IT Director Detective Jeff McCliss said: "Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files." The computer virus, Cryptowall, is a variant of the infamous CryptoLocker. In August, PC World reported that CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage,....