CryptoWall Collects $1M+ in Six Months

The family of file-encrypting ransomware known as CryptoWall is proliferating quickly, with more than $1 million paid in ransoms to date. Though it became well-known in the first quarter of 2014, researchers believe that the malware is now accelerating to become the largest and most destructive ransomware threat on the internet.

After the emergence of the infamous CryptoLocker ransomware in September 2013, the Dell SecureWorks Counter Threat Unit (CTU) research team observed an increasing number of ransomware families that destroyed data in addition to demanding payment from victims.

“While similar threats have existed for years, this tactic did not become widespread until CryptoLocker’s considerable success,” CTU said in a report shared with Infosecurity. “Traditionally, ransomware disabled victims’ access to their computers through non-destructive means until the victims paid for the computers’ release.”

Evidence collected by CTU researchers in the first several days of the February 2014 campaign showed at least several thousand global infections. By mid-March 2014, CryptoWall emerged as the leading file-encrypting ransomware threat. CTU data collected directly from the ransom payment server reveals that nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months. 

“The threat actors behind this malware have several years of successful cybercrime experience and have demonstrated a diversity of distribution methods,” CTU said. “As a result, CTU researchers expect this threat will continue to grow.”

The bug has matured over the last few months as well. While neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the threat actors have demonstrated both longevity and proficiency in distribution.

CTU said that CryptoWall has spread through various infection vectors since its inception, including classics like browser exploit kits, drive-by downloads and malicious email attachments. Since late March 2014, it has been primarily distributed through malicious attachments and download links sent through the Cutwail spam botnet—the same mechanism that was so successful in spreading GameOver Zeus until it was disrupted in June.

“These Cutwail spam email attachments typically distribute the Upatre downloader, which retrieves CryptoWall samples hosted on compromised websites,” CTU explained. “In June 2014, the malicious emails began including links to legitimate cloud hosting providers such as Dropbox, Cubby, and MediaFire. The links point to ZIP archives that contain a CryptoWall executable.”

While similar threats have existed for years, this tactic did not become widespread until CryptoLocker’s considerable successDell Secureworks CTU

On June 5, 2014, an aggressive spam campaign launched by Cutwail led to the largest single-day infection rates observed by CTU researchers, using a common “missed fax” lure that included links to Dropbox. As a result, through June 13, a CTU sinkhole received connections from 968 unique hosts that appeared to be infected with early CryptoWall variants.

Overall, between mid-March and August 24, CryptoWall encrypted more than 5.25 billion files. Every nation in the world had at least one victim—though most of the infections are in the United States due to CryptoWall’s frequent distribution through Cutwail spam targeting English-speaking users.

Interestingly, given its widespread nature, CryptoWall’s authors seem interested in simply making money the old-fashioned way: extortion. Files on fixed (e.g., hard disks), removable (e.g., USB memory), and network drives (when mapped to a drive letter) are targeted for encryption. Furthermore, cloud storage services, such as Dropbox or Google Drive, that are mapped to a targeted file system will also be encrypted.

“The malware does not exfiltrate user credentials, files or metadata about files,” CTU said. “Early CryptoWall variants did transmit a screenshot of the infected system back to the C2 server, but this functionality has not been present in variants distributed since mid-March 2014.”

The ransom has frequently fluctuated at the whim of the botnet operators, and no exact pattern has been established that determines which victims receive a particular ransom value. Ransoms ranging from $200 to $2,000 have been demanded at various times, payable in various forms of crypto-currency, and CTU explained that larger ransoms are typically reserved for victims who do not pay within the allotted time (usually four to seven days). In one case, a victim paid $10,000 for the release of their files.

Interestingly, based on post-mortem data collected by researchers, CryptoWall appears to have been less effective at producing income than CryptoLocker. As of August 24, CryptoWall has only collected 37% of the total ransoms collected by CryptoLocker despite infecting nearly 100,000 more victims.

“CryptoWall’s higher-than-average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain Bitcoins has likely contributed to this malware family’s more modest success,” said CTU. “Additionally, it is likely the CryptoWall operators do not have a sophisticated cash-out and laundering operation like the Gameover Zeus crew, and cannot process pre-paid cards in such high volumes.”

What’s Hot on Infosecurity Magazine?