CryptoWall
December 21, 2023 ยท View on GitHub
| ID | X0029 |
| Type | Ransomware |
| Aliases | None |
| Platforms | Windows |
| Year | 2014 |
| Associated ATT&CK Software | None |
CryptoWall
CryptoWall is a family of ransomware. [1]
ATT&CK Techniques
| Name | Use |
|---|---|
| Initial Access::Spearphishing Attachment (T1566.001) | The malware file is sent as an attachment. [1] |
| Impact::Inhibit System Recovery (T1490) | The malware deletes volume shadow copies using vssadmin.exe. [1] |
| Command and Control::Proxy (T1090) | The malware tries to connect to I2P proxies. [1] |
| Impact::Data Encrypted for Impact (T1486) | The malware encrypts files. [1] |
| Command and Control::Proxy (T1090) | The malware tries to connect to I2P proxies. [1] |
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Impact::Data Encrypted for Impact::Ransom Note (E1486.001) | The malware launches Internet Explorer to show ransom notes. [1] |
| Discovery::File and Directory Discovery (E1083) | The malware searches for user files before encrypting them. [1] |
| Defense Evasion::Process Injection (E1055) | The malware injects code into a new svchost process. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | A copy of Crytowall is placed in the startup folder and a directory at the root of the system drive. Also adds multiple "autostart" registry keys. [2] |
MBC Behaviors
| Name | Use |
|---|---|
| Command and Control::C2 Communication::Send Data (B0030.001) | The malware sends a hash value generated from system information. [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | The malware receives a public key from the C2. [1] |
Indicators of Compromise
SHA256 Hashes
- 03467f231a3fce6795545ae99a6dad161effa3bf681031693815eabf1648ee66
- 7ed58ef4fd3dc4efaea9e595614553445afb055c0c675b692f12a5629251b040
References
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[2] https://www.secureworks.com/research/cryptowall-ransomware