UPDATE: The math in this and other reports was simply tabulated incorrectly.

New American presidents often are measured by what they accomplish in their first 100 days. By that yardstick, the crew behind the CryptoLocker ransomware have been a raging success. The unknown group of attackers have already infected between 200,000 and 250,000 systems worldwide and likely raked far greater than $30o,ooo in ransom to date, according to researchers at Dell SecureWorks CTU, who published a deep analysis on the malware this week.

In a blog posted Wednesday, Keith Jarvis, a Senior Security Researcher with Dell SecureWorks, discussed the history of CryptoLocker and described how the malware is able to encrypt its victims’ files until they pay a ransom, usually around $300.

While all of the research is an interesting read, it’s especially noteworthy that the analysis has finally given us an idea how many computers have been infected since the malware surfaced shortly after the beginning of September.

It was reported the malware was sent to “tens of millions” of online banking customers in the U.K. in November but at the time it wasn’t certain just how many machines had actually opened the malicious attachment and were legitimately infected.

Now it’s clear that somewhere between 200,000 and 250,000 systems have been infected globally in the threat’s first 100 days, with the bulk of the attacks targeting machines in the United States.

CryptoLocker infections have surged over the last few months with officials from the  US-CERT and the U.K.’s National Crime Agency’s National Cyber Crime Unit warning computer users in their regions about CryptoLocker infections in October and November, respectively.

While both nations sounded the alarm, it was the U.S., at least from October 22 to November 1, that saw the lion’s share of infections. The United States saw 22,360 infections, accounting for a staggering 70.2 percent of the total infections over that time period. Great Britain came in a distant second with almost 2,000 infected systems, or about 5.5 percent of total infections.

As expected, the jump in infections coincided with a barrage of spam from the Cutwail botnet. Attackers used emails sent out in October by botnets like Cutwail as vehicles for malware like Zeus Gameover that distributed and delivered CryptoLocker.

CryptoLocker infections have faded somewhat over the last week or so though, and allowed the U.S. and the U.K. to more or less even up with each other. From December 9 to December 16, the United States tallied 24 percent of all infections while the U.K. accounted for 19 percent of all infections.

While it was already established that CryptoLocker relies on multiple payment platforms — electronic methods like MoneyPak, CashU, Ukash and Paysafecard — to facilitate ransom, it wasn’t until October that it was discovered that the malware had also begun accepting Bitcoin, the all-the-rage-these-days digital crypto-currency, to let users decrypt their files.

SecureWorks estimates that if the malware creators had actually cashed in the 1,216 BTC (Bitcoin) they collected over this period they could’ve made $380,000. Since Bitcoin conversion rates fluctuate wildly though, that’s a far cry from what they could’ve earned if they had held onto it until today. The attackers’ Bitcoins could fetch around $980,000 currently according to Jarvis, who used the current weighted price of $804/BTC in his calculations.

Jarvis stresses that this is still a “conservative estimate” though and goes on to note that a tiny fraction of CryptoLocker victims, only 0.4%, actually pay the ransom.

At that rate however it’s likely that the CryptoLocker gang managed to convince at least 1,000 or so victims to pay up. At $300 a pop, that’s a cool $300,000 the attackers earned in just over 100 days, a profit they’ve clearly managed to conceal.

“Based on the duration and scale of attacks, they also appear to have the established and substantial ‘real world’ infrastructure necessary to ‘cash out’ ransoms and launder the proceeds,” Jarvis said, crediting the attackers’ prowess.

Categories: Malware

Comments (3)

    • Brian Donohue
      2

      Thanks for the heads up. I ran through the math again. Should actually have worked like this (I think):

      250,000x.004=1,000 — this reflects that 0.4 percent of the 250,000 infected users paid the ransom. Thus, 1,000 users paid.

      1,000×300=300,000 — this reflects that 1,000 users paid a $300 ransom. Therefore the actual net profit is $300,000 for 100 days work.

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>