Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging threat on CRYPWALL version 4

    • Updated:
    • 18 Dec 2015
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • Platform:
    • N/A N/A
Summary

CRYPWALL v4 is usually downloaded by a DLOADER which arrives as an attachment on spam mail, or downloaded from the Internet.

The spam mail appears to be a mail containing a resume or a billing statement as attachment. This attachment contains a JS file which downloads CRYPWALL. No exploit is being used in the spam mail. You will have to click to execute the JS file. When executed, It will encrypt your files and will ask for ransom to recover your encrypted files.

For further information on the previous version, TROJ_CRYPWALL that Trend Micro already detects, click here.

”CRYPWALL

Antispam Pattern

LAYERDetailsPattern VersionRelease Date (GMT+8)
EXPOSURESpam mail with JS attachmentAS 197812/2/2015

VSAPI Pattern (Malicious File Detection)

LAYERDetectionPattern BranchRelease Date (GMT+8)
INFECTIONJS_CRYPLOD.SMAOPR 12.16911/23/2015
INFECTIONTROJ_CRYPWALL.DEOPR 12.16311/20/2015
INFECTIONRansom_CRYPWALL.SMBOPR 12.15911/18/2015
INFECTIONRansom_CRYPWALL.XXUALOPR 12.15711/17/2015
CLEAN-UPHS_WALLNOTE.SM1OPR 12.14711/12/2015

WRS Pattern (Malicious URL and Classification)

LAYERMalicious URLClassificationBlocking Date (GMT+8)
EXPOSUREhttp://{BLOCKED}46.30.43.183/syria.exeVirus Accomplice11/3/2015
EXPOSUREhttp://{BLOCKED}46.30.45.73/export.exeRansomware, Virus Accomplice11/13/2014
EXPOSUREhttp://{BLOCKED}46.30.45.73/mert.exeVirus Accomplice, Disease Vector11/18/2015
EXPOSUREhttp://{BLOCKED}46.30.42.78/import.exeRansomware, Virus Accomplice11/11/2015
EXPOSUREhttp://{BLOCKED}siddharthbunglows.com/wp-content/themes/twentythirteen/5Q4rte.php?v=1u2bv6eod5qf0nC&C, Virus Accomplice11/20/2015
EXPOSUREhttp://{BLOCKED}siddharthbunglows.com/wp-content/themes/twentythirteen/5Q4rte.php?v=4y4lqj4krkt8C&C, Virus Accomplice11/20/2015
EXPOSUREhttp://{BLOCKED}siddharthbunglows.com/wp-content/themes/twentythirteen/5Q4rte.php?x=xava0s2h50wuxC&C, Virus Accomplice11/20/2015
EXPOSUREhttp://{BLOCKED}daxpolska.com/x_files/1.php?e=43gn4du2ju3waqRansomware, Virus Accomplice11/18/2015
EXPOSUREhttp://{BLOCKED}daxpolska.com/x_files/1.php?m=qpg7e5o152yn1hRansomware, Virus Accomplice11/18/2015
EXPOSUREhttp://{BLOCKED}limret.com/form/mailformpro/2.php?e=43gn4du2ju3waqRansomware, Virus Accomplice11/18/2015
EXPOSUREhttp://{BLOCKED}limret.com/form/mailformpro/2.php?k=qpg7e5o152yn1hRansomware, Virus Accomplice11/18/2015
CLEAN-UPhttp://{BLOCKED}3wzn5p2yiumh7akj.onionRansomware, Disease Vector11/19/2015
CLEAN-UPhttp://{BLOCKED}therealdiehls.com/K3_J96.phpRansomware, Virus Accomplice11/18/2015
CLEAN-UPhttp://{BLOCKED}konstructmarketing.com/Ml63Pu.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}nobilighting.com/eX8yjr.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}project976.org/zyS9Kf.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}promofordbekasi.com/6jVb5D.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}reanimator-service.com/Y1U5s7.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}theboomerzblog.com/fQu7UH.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}zemamranews.com/jxke9u.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}sadefuar.com/xdqHcr.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}shopshe.com/jECfKN.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}vlsex.net/O4vH1A.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}wpwarriors.com/gnHPMv.phpC&C, Virus Accomplice11/13/2015
CLEAN-UPhttp://{BLOCKED}primemovies.net/z6Hfan.phpVirus Accomplice11/12/2015
CLEAN-UPhttp://{BLOCKED}xn--e1asbeck.xn--p1ai/7xSCFU.phpVirus Accomplice11/12/2015
CLEAN-UPhttp://{BLOCKED}webandnoticias.com/t6xe1z.phpDisease Vector11/11/2015
CLEAN-UPhttp://{BLOCKED}rationwalaaa.com/QOPYrs.phpRansomware, Virus Accomplice11/11/2015
CLEAN-UPhttp://{BLOCKED}spideragroscience.com/cWo1T2.phpRansomware, Virus Accomplice11/11/2015
CLEAN-UPhttp://{BLOCKED}virginia-education.com/8Ycy6k.phpRansomware, Virus Accomplice11/11/2015
CLEAN-UPhttp://{BLOCKED}46.30.45.73/import.exeDisease Vector11/10/2015
CLEAN-UPhttp://{BLOCKED}3wzn5p2yiumh7akj.effectwaytopay.comRansomware, Disease Vector11/9/2015
CLEAN-UPhttp://{BLOCKED}3wzn5p2yiumh7akj.forkinvestpay.comRansomware, Disease Vector11/9/2015
CLEAN-UPhttp://{BLOCKED}3wzn5p2yiumh7akj.marketcryptopartners.comRansomware, Disease Vector11/9/2015
CLEAN-UPhttp://{BLOCKED}3wzn5p2yiumh7akj.partnersinvestpayto.comRansomware, Disease Vector11/9/2015
CLEAN-UPhttp://{BLOCKED}thecarnivalfest.com/mQF14M.phpRansomware, Virus Accomplice11/6/2015
CLEAN-UPhttp://{BLOCKED}meaarts.com/bMUmqv.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}perpabaskievi.net/VCOzj5.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}pretor.su/ZLoNyf.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}safepeace.com/_QXEd6.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}sparshsewa.com/5a8CTM.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}tmp3malinium.com/7DSCmu.phpRansomware, Virus Accomplice11/5/2015
CLEAN-UPhttp://{BLOCKED}noblevisage.com/2qs9Rr.phpDisease Vector11/3/2015
CLEAN-UPhttp://{BLOCKED}travancy.com/8GBn_t.phpDisease Vector11/3/2015
CLEAN-UPhttp://{BLOCKED}tamazawatokuichiro.com/TkCs3y.phpC&C, Virus Accomplice11/2/2015

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERPolicyPattern VersionRelease Date
DYNAMIC4126TOPR 149912/1/2015 (Batch 1)
DYNAMIC4127TOPR 149912/1/2015 (Batch 1)

DCT Pattern (System Clean Pattern)

LAYERDetectionPattern VersionReleased Date
DYNAMICDCT Gencleanlatest OPRpre-existing

Network Pattern

LAYERPATTERN NamePattern VersionRelease Date
CLEAN-UPHTTP_CRYPDEF_REQUESTEndpoint RR 1.10115.004/28/2015
CLEAN-UPOPS_HTTP_CRYPDEF_REQUESTEndpoint RR 1.10125.007/28/2015
 
Make sure to always use the latest pattern available to detect the old and new variants of CRYPWALL VERSION 4.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above








Update Pattern via web console
Update Pattern via web console








Enable Web Reputation Service*
Update Pattern via Web console


Not Applicable
Update Pattern via Web console
Deep Security8.0 and aboveNot ApplicableUpdate Pattern via Web consoleUpdate Pattern via Web console
ScanMailSMEX 10 and laterNot ApplicableNot Applicable



Update Pattern via Web console
Not Applicable
SMD 5 and laterNot ApplicableNot ApplicableNot Applicable
InterScan MessagingIMSVA 8.0 and aboveNot ApplicableNot ApplicableNot Applicable
InterScan WebIWSVA 6.0 and laterNot ApplicableNot ApplicableNot Applicable
Deep DiscoveryDDI 3.0 and laterNot ApplicableNot ApplicableNot ApplicableUpdate Pattern via web console
 
*Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1113209
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.