An American Editor

January 10, 2015

Articles Worth Reading: Inside CryptoWall 2

A bit more than a year ago, I wrote about my experience with ransomware in “Business of Editing: URLs, Authors, & Viruses.” A week later, I followed it up with “Articles Worth Reading: More on Ransomware.” And just a few weeks ago, I wrote “The Business of Editing: Playing It Safe” in which I discussed Sandboxie.

Well, here we go again.

If you have been dithering about Sandboxie or similar protection, I encourage you to read “Inside CryptoWall 2.0: Ransomware, Professional Edition” from Ars Technica. As the article notes:

The installation components of CryptoWall 2.0 are cloaked by multiple levels of encryption, with three distinct stages of installation each using a different encryption method to disguise the components installed. And like many modern pieces of malware, CryptoWall 2.0 has a virtual machine check in its code that disables the attack when the malware is installed within a virtual instance—in part to prevent security researchers from isolating and analyzing its behavior.

The VM checker code, in the first stage of CryptoWall’s dropper sequence, checks the system for running processes, searching for VMware and VirtualBox services or the Sandboxie application partitioning library. If the coast is clear, the code does some best practices-based memory handling to release memory used in the initial drop mode, then launches another dropper disguised as a Windows Explorer process.

Note that before it tries to install itself, CryptoWall searches for a running process like Sandboxie. If it finds Sandboxie (or similar software) running, it doesn’t go any further; if it doesn’t find Sandboxie running, it proceeds to the next installation step.

Since I originally bought Sandboxie, the licensing has changed. Now you can buy a lifetime license for up to 3 home computers for $49.95 or for 5 computers for $74.95. For just 1 computer, the lifetime license is $34.95. For pricing information click here. (Again, I have no connection or interest in Sandboxie other than having bought a license for my computers.)

I think the price is cheap for the protection it affords. And contrary to popular belief, your antivirus and malware programs do not protect against ransomware. Although ransomware exploits holes in the operating system, it does not attack the operating system, which is what antivirus and malware programs protect against; ransomware attacks your data files — your Word documents, your text files, your picture files, and the like — by encrypting them, not destroying them.

If you haven’t yet checked out a program like Sandboxie, I encourage you to do so.

Richard Adin, An American Editor

2 Comments »

  1. Rats, Sandboxie doesn’t work with Macs.

    Like

    Comment by Ruth E. Thaler-Carter — January 10, 2015 @ 10:43 am | Reply

  2. […] story came to my attention via Rich Adin's An American Editor blog. He'd been paying closer attention to this issue than I because in late 2013 he had been hit twice […]

    Like

    Pingback by The Latest Malware is So Smart That It Won't Even Attack if It Detects Defenses ⋆ The Digital Reader — January 11, 2015 @ 9:46 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: