Security watchers are warning of a surge in CryptoWall ransomware victims this month that will coincide with a campaign to spread a new variant of the malware though advertising networks.
More than 830,000 victims worldwide have been infected with the malware, a 25 per cent increase in infections since late August when there were 625,000 victims, according to security researchers at Dell SecureWorks.
The UK was one of the hardest hit regions when it comes to CryptoWall infections, with more than 40,000 victims. The ransoms demanded typically range from $200 to $2,000 and the larger sums usually reserved for victims who do not pay within the allotted time (usually 4 to 7 days).
Data collected directly from the ransom payment server reveals that a total of $1,101,900 in ransoms had been paid from March through August 2014 to the CryptoWall criminals. In the three months since a further 205,000 new victims have been claimed, doubtless increasing the total take to $1.4m or more.
CryptoWall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key needed to recover scrambled documents. CryptoWall was first distributed in early November 2013, but the threat only went prime-time around February 2014.
Early CryptoWall variants closely mimicked both the behaviour and appearance of the infamous CryptoLocker ransomware but the malware has evolved since then. It even survived a takedown operation against its command and control servers back in June.
Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!, Match.com, and AOL domains, among others.
"The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware – which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without screening detection," Proofpoint explains in a lengthy blog post.
The malicious code contained in the ads used browser vulnerabilities and the like to push a new variant of CryptoWall onto the PCs of surfers visiting the affected sites. The malvertising campaign itself ran from 18 September until at least 18 October, when Proofpoint stopped recording new infections.
"Although we have notified impacted parties and halted this malvertising campaign, the attackers may be spreading CryptoWall 2.0 via other means," Proofpoint warns.
Based on the flows of ransom payments to Bitcoin addresses, Proofpoint estimates that the attackers made $25,000 per day, or anything up to $750,000 through the latest campaign. The crooks behaind CryptoWall have used the tactic of distributing their malware through tainted ads before, as recently as August.
CryptoWall was previously spread via malicious email attachments and download links sent through the Cutwail spam botnet.
"CryptoWall 2.0 added TOR support and therefore made it much harder to trace back to the attacker's command and control servers," explained Wayne Huang, lead researcher at Proofpoint.
"With CryptoWall 2.0, the attackers are also heavily using obfuscation and anti-sandboxing techniques. This campaign saw at least two very different obfuscator + anti-sandboxer in use, although the naked payloads are exactly the same." ®