Menu
CryptoWall held over half-a-million computers hostage, encrypted 5 billion files

CryptoWall held over half-a-million computers hostage, encrypted 5 billion files

The gang behind this dangerous ransomware program has earned US$1 million so far, researchers from Dell SecureWorks said

A file-encrypting ransomware program called CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage, earning its creators more than US$1 million, researchers found.

The Counter Threat Unit (CTU) at Dell SecureWorks performed an extensive analysis of CryptoWall that involved gathering data from its command-and-control (C&C) servers, tracking its variants and distribution methods and counting payments made by victims so far.

CryptoWall is "the largest and most destructive ransomware threat on the Internet" at the moment and will likely continue to grow, the CTU researchers said Wednesday in a blog post that details their findings.

The threat has been spreading since at least November 2013, but until the first quarter of this year it remained mostly overshadowed by CryptoLocker, another ransomware program that infected over half a million systems from September 2013 through May.

CryptoLocker asked victims for ransoms between $100 and $500 to recover their encrypted files and is estimated to have earned its creators around $3 million over 9 months of operation. The threat was shut down at the end of May following a multi-national law enforcement operation that had support from security vendors.

CryptoWall filled the void left by CryproLocker on the ransomware landscape through aggressive distribution using a variety of tactics that included spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already running on compromised computers.

The CryptoWall command-and-control servers assign a unique identifier to every infection and generate RSA public-private key pairs for each one.

The public keys are sent to infected computers and are used by the malware to encrypt files with popular extensions -- movies, images, documents, etc. -- that are stored on local hard drives, as well as on mapped network shares, including those from cloud storage services like Dropbox and Google Drive.

Files encrypted with an RSA public key can only be decrypted with its corresponding private key, which remains in the possession of the attackers and is only released after the ransom has been paid.

The CTU researchers were able to count the unique computer identifiers from the CryptoWall servers and also obtained information about their IP (Internet Protocol) address, approximate time of infection, and payment status.

"Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall," the CTU researchers said. "In that same timeframe, CryptoWall encrypted more than 5.25 billion files."

The largest number of infected systems were located in the United States -- 253,521 or 40.6 percent of the total. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.

CryptoWall typically asks victims to pay the ransom in Bitcoin cryptocurrency, but earlier variants offered more payment options, including pre-paid cards like MoneyPak, Paysafecard, cashU, and Ukash.

The ransom amount grows if a victim doesn't pay the ransom within the initial allotted time, which is usually between four and seven days. The CTU researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500.

"Of nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months," the CTU researchers said.

This suggests that while CryptoWall managed to infect 100,000 more computers than CryptoLocker, it was less effective at generating income for its creators. Researchers determined in the past that 1.3 percent of CryptoLocker victims paid the ransom for a total of over 3 million dollars.

The difference in success rate might be explained through the technical barriers involved in obtaining Bitcoins, the CTU researchers said. In the case of CryptoLocker, 1.1 percent of victims paid the ransom through MoneyPak and only 0.21 percent used Bitcoin.

The CTU analysis found similarities between CryptoWall samples and those of an older ransomware family called Tobfy. If the same attackers are behind both threats, it means that they have at least several years of experience in ransomware operations.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Dell SecureWorkssecurityencryptiondata protectionmalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments