CryptoLocker has gone down in history the ransom Trojan that introduced the world to the era of mass extortion attacks during 2013 but it is the copycat CryptoWall that has earned the more fearsome reputation. At least four revisions have appeared since its debut sometime in early 2014, not long after CryptoLocker’s demise, with the 3.0 version that has been around since early 2015 still the example victims, including many businesses, are most likely to encounter.
The scale and continued success of CryptoWall takes some explaining. There have been several assessments of just how successful, including one from Dell SecureWorks that estimated infection numbers at 625,000 in the first six months after its discovery. By October the numbers had spiked towards the magic one million figure with many victims handing over several thousand dollars a time. Around the same time, security firm PhishMe uncovered Bitcoin wallets used by criminals controlling CryptoWall containing currency worth hundreds of thousands of dollars.
In November 2015, the Cyber Threat Alliance (CTA), an organisation counting Symantec, Fortinet, Zscaler, Intel Security and Palo Alto among its members, put the total damage done by CryptoWall 3.0 at a headache-inducing $325 million. Astonishingly, the world barely blinked at the scale of this estimate.
Whatever CryptoWall was up to it was finding victims willing to pay its ransom demands pretty easily. Nobody seems ot care that this single piece of malware on its own has turned into one of the most successful pieces of organised crimeware in history.
A brand new analysis by Imperva has shed more light on CryptoWall 3.0, and it doesn’t make pleasant reading for businesses that assume security firms or the police might at long last be getting on top of this threat.
A typical attack will demand Bitcoins and direct its C2 (command and control) over the Tor network, and send victims to darknet websites to decrypt scrambled files once a key has been bought. It’s a design that allows the criminal to vary the sum demanded by geographical location, at least $700 for US users.
So far, so much what might be expected but then Imperva discovered something interesting – the criminals appeared to be hiding a small selection of back-end Bitcoin wallets behind a much larger population of front-end wallets across different campaigns. The company found that perhaps 670 victims had paid the equivalent of $337,607 (£190,000) into wallets that are a small subset of the true number.
The conclusion is that CryptoWall is hugely successful. Even if its conversion rate is small (that is the proportion of victims against infected machines) there are still more than enough to support a major business.
The second conclusion is more concerning: why aren’t the authorities doing more about scams that should be relatively easy to disrupt?
“In this report, we have clearly demonstrated that peeling the layers behind the financial infrastructure of ransomware is achievable and such investigations could be a powerful tool if undertaken by the appropriate authorities,” noted the report, acidly, before throwing a punch. “We believe one of the reasons ransomware is thriving is the lack of action from law enforcement agencies.”
Likely, police forces see studying the mechanisms used to execute crime as beyond their resources, regardless of how easy it looks from the outside. It’s also the case that police forces are attuned to solving crimes and that if no crime is reported (which it likely won’t be when a ransom is quietly paid), then there is nothing to investigate. Victims are almost certainly spread out across the developed world and even supra-national bodies such as Interpol find this hard to track.
“It is safe to assume that proceeds from the ransomware are funding other nefarious activities. ‘We don’t negotiate with terrorists, but we will let anyone rob you as long they use ransomware’ pretty much sums up the FBI’s current stance. How long before some major threat/attack gets linked to gains from ransomware? Maybe then action will be prompted,” said Imperva.
The advice for business who haven’t got the prevention memo remains much the same as it’s always been.
CryptoWall 3.0 – prevention is better than an empty wallet
- Don’t rely on anti-virus software alone to protect computers. Many programs aren’t up to the job not least because criminals make sure their attacks can beat most or all of them before they are launched.
- On the contrary, use some kind of file monitoring can delay or block this kind of attack. Ransomware targets files so if a lot are being opened on a machine this is a red flag.
- Employ regular backup and remember that file synchronisation systems such as Google Drive can be infected and are not a substitute against ransomware.
- Deploy email security, if necessary quarantining attachments or even disallowing them altogether for most users. Most ransomware attacks still exploit the incredibly weakness of email security is many organisations.
- Individuals should consider specific tools and advice when working out how to defend themselves.