CryptoWall ransomware has been a gold mine for its developers as they have gained at least $1 million in extortion payments.
That total comes in spite of a takedown operation in June. CryptoWall continues to be the largest and most destructive ransomware threat on the Internet, according to the latest analysis of the threat by security researchers from Dell SecureWorks Counter Threat Unit (CTU).
Cryptowall is a strain of file-encrypting ransomware that encrypts files on infected Windows PCs and attached storage devices with RSA-2048 encryption before demanding a ransom for the private key that recovers the documents.
Dell SecureWorks CTU researchers registered a domain used by the CryptoWall malware as a backup command and control (C2) server in February. This sinkhole allowed them to look at the malware and see how it spread.
Between mid-March and late August, nearly 625,000 systems fell victim to CryptoWall, which encrypted more than 5.25 billion files over the period. CTU researchers queried the ransom payment server using the codes assigned to each of these systems and collected the IP address, approximate time of infection, and payment status for each infection in order to estimate how much victims had paid out.
Quite a few of the infections were in the United States (40.6 percent) due to CryptoWall’s frequent distribution through Cutwail spam targeting English-speaking users.
Data collected directly from the ransom payment server reveals the exact number of paying victims as well as the amount they paid. Of nearly 625,000 infections, 1,683 victims (0.27 percent) paid the ransom, which brought in $1,101,900 over six months.
Based on post-mortem data collected by researchers, CryptoWall has been less effective at producing income than CryptoLocker. CryptoWall has only collected 37 per cent of the total ransoms collected by CryptoLocker, despite infecting nearly 100,000 more victims.
“CryptoWall’s higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain Bitcoins has likely contributed to this malware family’s more modest success,” Dell SecureWorks researchers said in a blog post. “Additionally, it is likely the CryptoWall operators do not have a sophisticated ‘cash out’ and laundering operation like the Gameover Zeus crew and cannot process pre-paid cards in such high volumes.”
CryptoWal first came out in early November 2013, but the threat hit the mainstream this past February. While neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the attackers are very good at distributing the payload. CryptoWall has spread using browser exploit kits, drive-by downloads, and malicious email attachments. Malicious email attachments and download links sent through the Cutwail spam botnet have become the main tricks for exposing victims to the malware since late March.