Victims of the CryptoWall ransomware have been extorted out of at least $1m.
Despite a takedown operation in June, CryptoWall continues to be the largest and most destructive ransomware threat on the internet, according to the latest analysis of the threat by security researchers from Dell SecureWorks Counter Threat Unit.
Cryptowall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key that recovers the documents.
Dell SecureWorks CTU researchers registered a domain used by the CryptoWall malware as a backup command and control (C2) server in February. This sinkhole allowed them to get a clear insights into the malware's spread and behaviour that would not otherwise be possible.
Between mid-March and late August, nearly 625,000 systems were infected with CryptoWall. CryptoWall encrypted more than 5.25 billion files over the period. CTU researchers queried the ransom payment server using the codes assigned to each of these systems and collected the IP address, approximate time of infection, and payment status for each infection in order to estimate how much victims had paid out.
Many of the infections are in the United States (40.6 per cent) due to CryptoWall's frequent distribution through Cutwail spam targeting English-speaking users.
Data collected directly from the ransom payment server reveals the exact number of paying victims as well as the amount they paid. Of nearly 625,000 infections, 1,683 victims (0.27 per cent) paid the ransom, for a total take of $1,101,900 over the course of six months.
Based on post-mortem data collected by researchers, CryptoWall has been less effective at producing income than CryptoLocker. CryptoWall has only collected 37 per cent of the total ransoms collected by CryptoLocker, despite infecting nearly 100,000 more victims.
"CryptoWall's higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain Bitcoins has likely contributed to this malware family's more modest success," Dell SecureWorks researchers explain in a blog post. "Additionally, it is likely the CryptoWall operators do not have a sophisticated "cash out" and laundering operation like the Gameover Zeus crew and cannot process pre-paid cards in such high volumes."
Multi-headed hydra spews crap
CryptoWall was first distributed in early November 2013, but the threat only went prime-time around February 2014. Early CryptoWall variants closely mimicked both the behaviour and appearance of the infamous CryptoLocker ransomware. Anecdotal reports from victims suggest the malware was distributed either as an email attachment or drive-by download. By February 2014, evidence collected by Dell SecureWorks researchers showed at least several thousand global infections.
While neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the cybercrooks behind it have shown a talent proficiency for distribution. CryptoWall has spread using browser exploit kits, drive-by downloads, and malicious email attachments. Malicious email attachments and download links sent through the Cutwail spam botnet have become the main tricks for exposing victims to the malware since late March.
Cutwail spam email attachments typically distribute the Upatre downloader, which retrieves CryptoWall samples hosted on compromised websites. Upatre was also used to distribute the infamous Gameover ZeuS banking Trojan until a high-profile takedown operation in May. Malicious emails pushing CryptoWall began including links to legitimate cloud hosting providers – such as Dropbox, Cubby, and MediaFire – starting in June. The links point to ZIP archives that contain a CryptoWall executable.
Spam campaigns pushing the ransomware using a "missed fax" lure in June led to many infections, according to Dell SecureWork's security researchers. More recently the malware has been seen by other researchers to spread through malicious advertisements.
Coding similarities between CryptoWall and the earlier Tobfy family of traditional ransomware (which only locked up PCs and didn't encrypt files) suggest the same gang of crooks may be behind both scams.
Command and control
CryptoWall uses an unremarkable command and control system that relies on several static domains hard-coded into each binary. Unlike other prevalent malware families, CryptoWall does not use advanced techniques such as domain generation algorithms (DGA) or fast-flux DNS systems.
These servers use the Privoxy non-caching web proxy and likely act as first-tier servers that proxy traffic from victims to backend servers that manage encryption keys.
In late July 2014, several distributed samples used command servers hosted on the Tor network, suggesting the malware gang intend to eventually stop using traditional, directly accessible servers.
The malware does not extract user credentials, files, or metadata about files. Early CryptoWall variants did transmit a screenshot of the infected system back to the command and control server, but this functionality has not been present in variants distributed since mid-March 2014, according to security researchers at Dell SecureWorks.
Beefed-up crypto fixes earlier flaws
CryptoWall variants deployed before April 2014 contained a weakness in the cryptographic implementation that allowed recovery of the key used to encrypt files. This flaw appears to have been corrected in later versions of the malware.
Files on fixed, removable, and network drives on infected machines are all targeted for encryption. Furthermore, cloud storage services, such as Dropbox or Google Drive, that are mapped to a targeted file system will also be encrypted.
Like CryptoLocker, earlier CryptoWall variants included numerous payment options, including pre-paid cards such as MoneyPak, Paysafecard, cashU, and Ukash in addition to the Bitcoin cryptocurrency. Unlike CryptoLocker, the CryptoWall crooks originally accepted Litecoin, however this looks to have been a bust. The only observed Litecoin address never received any payments.
Ransom demands by the crooks behind the scam vary widely, according to Dell SecureWorks.
"The ransom has frequently fluctuated at the whim of the botnet operators, and no exact pattern has been established that determines which victims receive a particular ransom value," the security experts explain. "Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall's operators. The larger ransoms are typically reserved for victims who do not pay within the allotted time (usually four to seven days). In one case, a victim paid $10,000 for the release of their files." ®