Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

CryptoWall 3.0 – the most succcessful malware in history is not unstoppable

John E Dunn | Feb. 9, 2016
CryptoWall has rampaged across hard drives, unopposed. But PC users can defend themselves

CryptoLocker has gone down in history the ransom Trojan that introduced the world to the era of mass extortion attacks during 2013 but it is the copycat CryptoWall that has earned the more fearsome reputation. At least four revisions have appeared since its debut sometime in early 2014, not long after CryptoLocker's demise, with the 3.0 version that has been around since early 2015 still the example victims, including many businesses, are most likely to encounter.

Image: Imperva

The scale and continued success of CryptoWall takes some explaining. There have been several assessments of just how successful, including one from Dell SecureWorks that estimated infection numbers at 625,000 in the first six months after its discovery. By October the numbers had spiked towards the magic one million figure with many victims handing over several thousand dollars a time. Around the same time, security firm PhishMe uncovered Bitcoin wallets used by criminals controlling CryptoWall containing currency worth hundreds of thousands of dollars.

In November 2015, the Cyber Threat Alliance (CTA), an organisation counting Symantec, Fortinet, Zscaler, Intel Security and Palo Alto among its members, put the total damage done by CryptoWall 3.0 at a headache-inducing $325 million. Astonishingly, the world barely blinked at the scale of this estimate.

Whatever CryptoWall was up to it was finding victims willing to pay its ransom demands pretty easily. Nobody seems to care that this single piece of malware on its own has turned into one of the most successful pieces of organised crimeware in history.

A brand new analysis by Imperva has shed more light on CryptoWall 3.0, and it doesn't make pleasant reading for businesses that assume security firms or the police might at long last be getting on top of this threat.

A typical attack will demand Bitcoins and direct its C2 (command and control) over the Tor network, and send victims to darknet websites to decrypt scrambled files once a key has been bought. It's a design that allows the criminal to vary the sum demanded by geographical location, at least $700 for US users.

So far, so much what might be expected but then Imperva discovered something interesting - the criminals appeared to be hiding a small selection of back-end Bitcoin wallets behind a much larger population of front-end wallets across different campaigns. The company found that perhaps 670 victims had paid the equivalent of $337,607 (£190,000) into wallets that are a small subset of the true number.

The conclusion is that CryptoWall is hugely successful. Even if its conversion rate is small (that is the proportion of victims against infected machines) there are still more than enough to support a major business.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.