A new version of the Cryptowall malware has been unearthed, leading to concerns that criminals are refining their attack strategy.
Cisco's Talos Group shed further light on Cryptowall 3.0 in a threat advisory, revealing that the malware features significant streams of "dead code" and an improved encryption algorithm.
"The latest 3.0 sample that we analysed was in a zip file. This zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary," read the advisory.
"Similar to the 2.0 version, the dropper is encrypted with a custom algorithm three times, but that is where the similarities end. In the 3.0 sample that we analysed, [many of the] dropper features which we identified as being operational in version 2.0 have been removed."
The removed features include the ability to switch between 32-bit and 64-bit operations and employ multiple exploits in the dropper, and an anti-virtual machine check designed to prevent the malware running in a virtual environment.
The Cisco researchers said that the streamlined malware indicates a shift in direction.
"Examining the dropper in the 3.0 sample indicates that it includes a lot of useless API calls and dead code. Apparently the dropper for this version of Cryptowall has been streamlined," read the advisory.
"The lack of any exploits in the dropper seems to indicate that the malware authors are focusing more on using exploit kits as an attack vector, since the exploit kit's functionality could be used to gain privilege escalation on the system."
Cryptowall 3.0 is the latest version of a popular ransomware that was uncovered in January. Previous research from 'Kaffeine' showed that the 3.0 version of the ransomware had begun exploiting the anonymous Invisible Internet Project.
Ransomware attempts to blackmail victims by locking them out of infected machines and charging a removal fee.
The Cisco researchers recommended that businesses take a variety of steps to protect against threats such as Cryptowall 3.0.
"Identifying and stopping ransomware variants definitely requires a layered security approach. Breaking any step in the attack chain will successfully prevent this attack," read the advisory.
"Therefore, blocking the initial phishing emails, blocking network connections to known malicious content, as well as stopping malicious process activity, are critical to combating ransomware and preventing it from holding your data hostage."
Cryptowall 3.0 is one of many threats to appear in recent weeks. Trend Micro researchers uncovered a campaign exploiting a zero-day vulnerability in Adobe Flash to spread the BEDEP malware on 6 February.
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook
Or they'll no longer be entitled to updates and bug patches