Victims of the CryptoWall ransomware have been extorted out of at least $1m.
Despite a takedown operation in June, CryptoWall continues to be the largest and most destructive ransomware threat on the internet, according to the latest analysis of the threat by security researchers from Dell SecureWorks Counter Threat Unit.
Cryptowall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key that recovers the documents. Dell SecureWorks CTU researchers registered a domain used by the CryptoWall malware as a backup command and control (C2) server in February. This sinkhole allowed them to get a clear insights into the malware's spread and behaviour that would not otherwise be possible.
Between mid-March and late August, nearly 625,000 systems were infected with CryptoWall. CryptoWall encrypted more than 5.25 billion files over the period. CTU researchers queried the ransom payment server using the codes assigned to each of these systems and collected the IP address, approximate time of infection, and payment status for each infection in order to estimate how much victims had paid out.
Many of the infections are in the United States (40.6 per cent) due to CryptoWall's frequent distribution through Cutwail spam targeting English-speaking users.
Data collected directly from the ransom payment server reveals the exact number of paying victims as well as the amount they paid. Of nearly 625,000 infections, 1,683 victims (0.27 per cent) paid the ransom, for a total take of $1,101,900 over the course of six months.
Based on post-mortem data collected by researchers, CryptoWall has been less effective at producing income than CryptoLocker. CryptoWall has only collected 37 per cent of the total ransoms collected by CryptoLocker, despite infecting nearly 100,000 more victims.
Multi-headed hydra spews crap
CryptoWall was first distributed in early November 2013, but the threat only went prime-time around February 2014. Early CryptoWall variants closely mimicked both the behaviour and appearance of the infamous CryptoLocker ransomware. Anecdotal reports from victims suggest the malware was distributed either as an email attachment or drive-by download. By February 2014, evidence collected by Dell SecureWorks researchers showed at least several thousand global infections.
While neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the cybercrooks behind it have shown a talent proficiency for distribution. CryptoWall has spread using browser exploit kits, drive-by downloads, and malicious email attachments. Malicious email attachments and download links sent through the Cutwail spam botnet have become the main tricks for exposing victims to the malware since late March.
Spam campaigns pushing the ransomware using a "missed fax" lure in June led to many infections, according to Dell SecureWork's security researchers. More recently the malware has been seen by other researchers to spread through malicious advertisements.
Coding similarities between CryptoWall and the earlier Tobfy family of traditional ransomware (which only locked up PCs and didn't encrypt files) suggest the same gang of crooks may be behind both scams.
Command and control
CryptoWall uses an unremarkable command and control system that relies on several static domains hard-coded into each binary. Unlike other prevalent malware families, CryptoWall does not use advanced techniques such as domain generation algorithms (DGA) or fast-flux DNS systems.
These servers use the Privoxy non-caching web proxy and likely act as first-tier servers that proxy traffic from victims to backend servers that manage encryption keys.
The malware does not extract user credentials, files, or metadata about files. Early CryptoWall variants did transmit a screenshot of the infected system back to the command and control server, but this functionality has not been present in variants distributed since mid-March 2014, according to security researchers at Dell SecureWorks.
Beefed-up crypto fixes earlier flaws
CryptoWall variants deployed before April 2014 contained a weakness in the cryptographic implementation that allowed recovery of the key used to encrypt files. This flaw appears to have been corrected in later versions of the malware.
Files on fixed, removable, and network drives on infected machines are all targeted for encryption. Furthermore, cloud storage services, such as Dropbox or Google Drive, that are mapped to a targeted file system will also be encrypted.
Like CryptoLocker, earlier CryptoWall variants included numerous payment options, including pre-paid cards such as MoneyPak, Paysafecard, cashU, and Ukash in addition to the Bitcoin cryptocurrency. Unlike CryptoLocker, the CryptoWall crooks originally accepted Litecoin, however this looks to have been a bust. The only observed Litecoin address never received any payments.
Ransom demands by the crooks behind the scam vary widely, according to Dell SecureWorks.