Nvint Has Successfully Reverse Engineered CryptoWall Ransomware

(Ping! Zine Web Tech Magazine) – Ransomware is a type of malicious software designed to block access to a computer
system until a specific sum of money is paid. Some forms of ransomware encrypt files on the hard drive, while others simply lock the system until the ransom is paid.

In April of this year, the Michigan attorney general’s office issued a warning about ransomware, “These Ransomware criminals demand payment of the ransom by Bitcoin or MoneyPak, two essentially untraceable payment methods. Once payment is confirmed, the program promises to decrypt the encrypted files. However, some victims have reported that their files were not decrypted even after paying the ransom.”

Early this week, members of the Nvint security team were called to a client site whose network had been compromised and infected with the CryptoWall Decrypter Ransomware, which meant that critical data was not accessible. After 18 hours, the team was able to reverse engineer the ransomware and successfully recover the client’s data.

Wyatt Roersma, the Incident Response Team lead for Nvint, managed the project, “The first step was to gather as much information as possible about the network and the extent of the compromise. This was accomplished by installing our Intrusion Detection Analytics (IDA) security appliance,” according to Roersma. The IDA allows us to monitor, capture and analyze network traffic. With this information, the team was able to isolate the issue and determine how the network was breached.

Through reverse engineering, the Nvint team identified a major flaw in CryptoWall and the method used to delete the data which allowed the team to use file carving techniques to recover the data.

“This was a big win for our client and Nvint. As far as I know, we are the first company to successfully reverse engineer CryptoWall in order to find the flaw which allows file recovery,” said Roersma. “Unfortunately, in this day and age, you can’t keep intruders out of your network; however you can detect them once they infect a system. To mitigate damage, you must respond quickly and efficiently; this is what we do with the IDA security service.”

About CryptoWall Decrypter 
The malware, known as CryptoWall Decrypter, is a new version of the malware CryptoLocker and CryptoDefense which first surfaced in Sept. 2013. The malware encrypts files with a malicious payload. Victimized users lose their ability to access data.

When activated, CryptoWall encrypts certain types of files stored on local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers.

About Nvint Proven Technology Solutions 
Nvint, Inc. specializes in IT Security, Infrastructure and customized Cloud Solutions. The Nvint Security Team assists clients with intrusion protection, incident response, file recovery, network re-design and monitoring. Since 2002, Nvint has been providing proven technology solutions from its headquarters in Grand Rapids, Mich.