CryptoWall is a million-dollar business.
The file-encrypting ransomware has netted the criminal gang responsible for its development and dispersal, more than $1.1 million in the six months it’s been in the wild, researchers at Dell SecureWorks’ Counter Threat Unit said in a report this week.
The ransom payments are in stark contrast to the recommendations of some experts who advise ransomware victims to avoid remitting payments because decryption keys or instructions on how to unlock computers or recover files generally are not provided by the criminals.
CryptoWall appears to have spooked enough of its victims into forking over the ransom its keepers demand. Dell puts the number of infections between mid-March and Aug. 24 at nearly 625,000 and more than 5.25 billion files were encrypted by the malware.
“CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing,” an overview of the Dell report said.
CryptoWall, the researchers estimate, has been distributed since November 2013, but its heyday began early this year hitting its peak in mid-May and early June. The report says CryptoWall was spreading via browser exploit kits, and via spam and phishing email campaigns through infected attachments and download links. The attackers were using the Cutwail spam botnet to distribute CryptoWall via the Upatre downloader, which calls out to sites hosting the ransomware and downloads it to a compromised machine.
On June 5, Dell recorded the largest single-day infection numbers after a Cutwail campaign launched that lured victims to a missed fax that was supposedly hosted in a Dropbox link. Before then, the virulent Angler and Rig exploit kits were distributing CryptoWall.
Dell was able to sinkhole a backup command and control server, which was contacted by close to 1,000 compromised machines from the Middle East, Asia and the United States primarily. Dell says overall, compromised computers in the U.S. account for 41 percent of total infections, more than 250,000.
Dell said it tracked campaign identifiers assigned to each malware sample and were able to query the ransom payment server using these codes in order to learn more about the total number of infections and payouts. Dell said it believes one group of attackers is behind CryptoWall.
Additional information in the report explores how the malware executes and injects itself into processes in order to maintain persistence on the infected computer. It also opens a back door to a number of static domains hardcoded in the malware; it does not rely on a peer to peer, fast-flux, or Domain Generation Algorithm for communication between bots, Dell said.
“These servers use the Privoxy non-caching web proxy and likely act as first-tier servers that proxy traffic from victims to backend servers that manage encryption keys,” the report said. “In late July 2014, several distributed samples used C2 servers hosted on the Tor network, which may indicate the operators intend to eventually stop using traditional, directly accessible servers.”
Once the malware retrieves an RSA public key from its C2 server, it begins encrypting files on the victim’s computer. The malware then opens a webpage with a message to the victim explaining their next course of action, which is anywhere from a $200 to $2,000 payment within seven days via pre-paid cash cards such as MoneyPak, as well as Bitcoin. Dell too discourages victims from paying; it points out that one paid $10,000 to get their files back. Dell said it saw payments from 1,683 victims totaling $1,101,900—most paying either $500 or $1,000 ransoms.