Articles Worth Reading: Inside CryptoWall 2

A bit more than a year ago, I wrote about my experience with ransomware in “Business of Editing: URLs, Authors, & Viruses.” A week later, I followed it up with “Articles Worth Reading: More on Ransomware.” And just a few weeks ago, I wrote “The Business of Editing: Playing It Safe” in which I discussed Sandboxie.

Well, here we go again.

If you have been dithering about Sandboxie or similar protection, I encourage you to read “Inside CryptoWall 2.0: Ransomware, Professional Edition” from Ars Technica. As the article notes:

The installation components of CryptoWall 2.0 are cloaked by multiple levels of encryption, with three distinct stages of installation each using a different encryption method to disguise the components installed. And like many modern pieces of malware, CryptoWall 2.0 has a virtual machine check in its code that disables the attack when the malware is installed within a virtual instance—in part to prevent security researchers from isolating and analyzing its behavior.

The VM checker code, in the first stage of CryptoWall’s dropper sequence, checks the system for running processes, searching for VMware and VirtualBox services or the Sandboxie application partitioning library. If the coast is clear, the code does some best practices-based memory handling to release memory used in the initial drop mode, then launches another dropper disguised as a Windows Explorer process.

Note that before it tries to install itself, CryptoWall searches for a running process like Sandboxie. If it finds Sandboxie (or similar software) running, it doesn’t go any further; if it doesn’t find Sandboxie running, it proceeds to the next installation step.

Since I originally bought Sandboxie, the licensing has changed. Now you can buy a lifetime license for up to 3 home computers for $49.95 or for 5 computers for $74.95. For just 1 computer, the lifetime license is $34.95. For pricing information click here. (Again, I have no connection or interest in Sandboxie other than having bought a license for my computers.)

I think the price is cheap for the protection it affords. And contrary to popular belief, your antivirus and malware programs do not protect against ransomware. Although ransomware exploits holes in the operating system, it does not attack the operating system, which is what antivirus and malware programs protect against; ransomware attacks your data files — your Word documents, your text files, your picture files, and the like — by encrypting them, not destroying them.

If you haven’t yet checked out a program like Sandboxie, I encourage you to do so.

Richard Adin, An American Editor

Advertisement