Lone wolves could be behind multi-million dollar Cryptowall ransomware racket

Top tech firms say group is 'immensely successful'


A single group could be behind the monstrous Cryptowall 3.0 ransomware, widely considered to be one of the most menacing threats to end users that has fleeced victims of millions of dollars.

Intel Security, Palo Alto Networks, Fortinet, and Symantec under the Cyber Threat Alliance have probed the net scourge revealing that the attackers are thought to be a single entity. That theory's based on commonalities in the Bitcoin wallets they use to receive ransom payments.

The findings are contained in the report Lucrative Ransomware Attacks (PDF). The document details the complexities of the ransomware menace that has forced users and businesses to pay criminals hundreds or thousands of dollars in individual ransoms for a key that can decrypt files.

The authors assert that "... as a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity."

"When we examined the BTC (Bitcoin) transaction network stemming from the [ransom Bitcoin] wallets to what we considered to be final wallets, the financial impact was substantial.

"A majority of these BTC addresses are used to launder the money into legal channels or to pay for services related to the campaigns, such as exploit kits or botnets used to send spam email."

The group runs a well-oiled machine that the top tech team says has been "immensely successful" in fleecing cash. Authorities said earlier this year that CryptoWall had squeezed US$18 million from US victims alone in a little over a year.

The encryption used by the malware is regarded as solid, with no known side-channel attacks through which less-professional and antiquated ransomware variants could be reversed without requiring payment.

It is so professional that multiple security types and system administrators have told this reporter they recommend their clients and bosses just pay up.

This week the FBI shocked no one in the security industry by recommending businesses just pay the criminals.

Cryptowall ransom payments are also highly developed, with complex transaction flows that are hard to trace and span hundreds of Bitcoin addresses.

About half of victims are based in the United States, however Australia is disproportionately represented in victim bases with at least 8000 infections hitting antipodean computers in the first six months of this year.

So-called facilitators help petty criminals enter the game by pairing them with ransomware writers, illicit web traffic barons, and exploit kit delivery groups.

A steady line of businesses hosed by ransomware have surfaced over recent months. One Australian sex shop had to pay AUD$1000 to remove the scourge. ®


Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022