A single group could be behind the monstrous Cryptowall 3.0 ransomware, widely considered to be one of the most menacing threats to end users that has fleeced victims of millions of dollars.
Intel Security, Palo Alto Networks, Fortinet, and Symantec under the Cyber Threat Alliance have probed the net scourge revealing that the attackers are thought to be a single entity. That theory's based on commonalities in the Bitcoin wallets they use to receive ransom payments.
The findings are contained in the report Lucrative Ransomware Attacks (PDF). The document details the complexities of the ransomware menace that has forced users and businesses to pay criminals hundreds or thousands of dollars in individual ransoms for a key that can decrypt files.
The authors assert that "... as a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity."
"When we examined the BTC (Bitcoin) transaction network stemming from the [ransom Bitcoin] wallets to what we considered to be final wallets, the financial impact was substantial.
"A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits or botnets used to send spam email."
The group runs a well-oiled machine that the top tech team says has been "immensely successful" in fleecing cash. Authorities said earlier this year that CryptoWall had squeezed US$18 million from US victims alone in a little over a year.
The encryption used by the malware is regarded as solid, with no known side-channel attacks through which less-professional and antiquated ransomware variants could be reversed without requiring payment.
It is so professional that multiple security types and system administrators have told this reporter they recommend their clients and bosses just pay up.
This week the FBI shocked no one in the security industry by recommending businesses just pay the criminals.
Cryptowall ransom payments are also highly developed, with complex transaction flows that are hard to trace and span hundreds of Bitcoin addresses.
About half of victims are based in the United States, however Australia is disproportionately represented in victim bases with at least 8000 infections hitting antipodean computers in the first six months of this year.
So-called facilitators help petty criminals enter the game by pairing them with ransomware writers, illicit web traffic barons, and exploit kit delivery groups.
A steady line of businesses hosed by ransomware have surfaced over recent months. One Australian sex shop had to pay AUD$1000 to remove the scourge. ®