CryptoLocker Creators Infected Nearly 250,000 Systems, Earned $300k Since September

The attackers behind the Cryptolocker ransomware have infected between 200,000 and 250,000 systems to date worldwide and appear to have earned around $30 million in ransom so far.

UPDATE: The math in this and other reports was simply tabulated incorrectly.

New American presidents often are measured by what they accomplish in their first 100 days. By that yardstick, the crew behind the CryptoLocker ransomware have been a raging success. The unknown group of attackers have already infected between 200,000 and 250,000 systems worldwide and likely raked far greater than $30o,ooo in ransom to date, according to researchers at Dell SecureWorks CTU, who published a deep analysis on the malware this week.

In a blog posted Wednesday, Keith Jarvis, a Senior Security Researcher with Dell SecureWorks, discussed the history of CryptoLocker and described how the malware is able to encrypt its victims’ files until they pay a ransom, usually around $300.

While all of the research is an interesting read, it’s especially noteworthy that the analysis has finally given us an idea how many computers have been infected since the malware surfaced shortly after the beginning of September.

It was reported the malware was sent to “tens of millions” of online banking customers in the U.K. in November but at the time it wasn’t certain just how many machines had actually opened the malicious attachment and were legitimately infected.

Now it’s clear that somewhere between 200,000 and 250,000 systems have been infected globally in the threat’s first 100 days, with the bulk of the attacks targeting machines in the United States.

CryptoLocker infections have surged over the last few months with officials from the  US-CERT and the U.K.’s National Crime Agency’s National Cyber Crime Unit warning computer users in their regions about CryptoLocker infections in October and November, respectively.

While both nations sounded the alarm, it was the U.S., at least from October 22 to November 1, that saw the lion’s share of infections. The United States saw 22,360 infections, accounting for a staggering 70.2 percent of the total infections over that time period. Great Britain came in a distant second with almost 2,000 infected systems, or about 5.5 percent of total infections.

As expected, the jump in infections coincided with a barrage of spam from the Cutwail botnet. Attackers used emails sent out in October by botnets like Cutwail as vehicles for malware like Zeus Gameover that distributed and delivered CryptoLocker.

CryptoLocker infections have faded somewhat over the last week or so though, and allowed the U.S. and the U.K. to more or less even up with each other. From December 9 to December 16, the United States tallied 24 percent of all infections while the U.K. accounted for 19 percent of all infections.

While it was already established that CryptoLocker relies on multiple payment platforms — electronic methods like MoneyPak, CashU, Ukash and Paysafecard — to facilitate ransom, it wasn’t until October that it was discovered that the malware had also begun accepting Bitcoin, the all-the-rage-these-days digital crypto-currency, to let users decrypt their files.

SecureWorks estimates that if the malware creators had actually cashed in the 1,216 BTC (Bitcoin) they collected over this period they could’ve made $380,000. Since Bitcoin conversion rates fluctuate wildly though, that’s a far cry from what they could’ve earned if they had held onto it until today. The attackers’ Bitcoins could fetch around $980,000 currently according to Jarvis, who used the current weighted price of $804/BTC in his calculations.

Jarvis stresses that this is still a “conservative estimate” though and goes on to note that a tiny fraction of CryptoLocker victims, only 0.4%, actually pay the ransom.

At that rate however it’s likely that the CryptoLocker gang managed to convince at least 1,000 or so victims to pay up. At $300 a pop, that’s a cool $300,000 the attackers earned in just over 100 days, a profit they’ve clearly managed to conceal.

“Based on the duration and scale of attacks, they also appear to have the established and substantial ‘real world’ infrastructure necessary to ‘cash out’ ransoms and launder the proceeds,” Jarvis said, crediting the attackers’ prowess.

Suggested articles