Attacks/Breaches
8/28/2014
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CryptoWall More Pervasive, Less Profitable Than CryptoLocker

The former CryptoLocker wannabe has netted 625,000 infected systems and more than $1 million in ransoms.

CryptoWall might have been just a CryptoLocker wannabe a few months ago, but since CryptoLocker went down with the GameOver ZeuS ship in June, CryptoWall has taken its place as the top ransomware on the market, according to a new report.

Like similar ransomware, CryptoWall infects an endpoint, encrypts users' files, and demands payment from those who want access to those files. CryptoWall can get its hands on hard disks, removable drives, network drives, and even cloud storage services that are mapped to a targeted file system.

CryptoWall is neither as technologically sophisticated nor as profitable as CryptoLocker, but it has infected more systems, and it's earned a cool million for its operators so far. Dell SecureWorks' Counter Threat Unit says in a new threat intelligence report that its researchers "consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing."

CryptoWall has infected approximately 625,000 systems worldwide -- 80,000 more than CryptoLocker. According to Dell SecureWorks, every nation in the world has at least one victim, but more than 250,000 are in the United States.

CryptoWall has encrypted 5.25 billion files. To retrieve their files, victims generally pay ransoms ranging from $200 to $2,000 apiece, but one unfortunate person paid $10,000. Over the course of six months, the CryptoWall operators convinced 1,683 victims to pay up and made $1,101,900 in ransoms.

This is rather a small haul when compared to CryptoLocker, which made $27 million in its first two months. Researchers have a few theories as to why CryptoWall is less profitable.

For one thing, it does not provide enough payment options. CryptoLocker accepted bitcoins and MoneyPak, but CryptoWall takes only bitcoins, so it's more difficult for victims to hand over the dough.

CryptoWall may have the price point wrong. It asks for a higher average price from each individual than CryptoLocker did. Also, CryptoWall isn't as well connected as CryptoLocker, which had access to the GameOver ZeuS gang's cashout and laundering services.

It is also not as technologically sophisticated. Before it can encrypt any files on or mapped to the machine it's infected, CryptoWall must call back to its command-and-control server to retrieve a RSA public key. Therefore, blocking that initial communication with the C2 server will prevent the ransomware from ever holding anything for ransom -- and this C2 system is "unremarkable," according to SecureWorks.

"Unlike other prevalent malware families, CryptoWall does not use advanced techniques such as domain generation algorithms or fast-flux DNS," the report said. Nevertheless, "while neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the threat actors have demonstrated both longevity and proficiency in distribution."

CryptoWall has used the Cutwail botnet to spread through malicious email attachments and malicious download links -- sometimes to the Upatre downloader and other times to legitimiate cloud hosting providers like DropBox and MediaFire. It's also spread through the Angler, RIG, and Infinity exploit kits.

Researchers have seen similarities between CryptoWall and the Tobfy ransomware family. This suggests that the threat actors for both are the same or are related.

"The threat actors behind this malware have several years of successful cybercrime experience and have demonstrated a diversity of distribution methods," the report said. "As a result, CTU researchers expect this threat will continue to grow."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Moderator
8/29/2014 | 4:55:25 PM
Re: What should enterprises do when faced with ransomware?
Given the complexity of the encryption used, a bruteforce attack is not practical by any means for key retrieval. I have seen both cases where paying the ransom has allowed the user/company to retrieve their data successfully. I have also seen the ransom paid and no key was ever provided by the criminal. If you have no valid backup of your files, the only chance you have at all is to pay it. That may not be what you want to hear but is the truth in most incidents.

Some of this ransomware is quite sophisticated as it does indeed encrypt all locally attached storage, network shares, sdeletes all volume shadow copies etc of previous version files.


Besides having offsite redundant backups, I recommend that all backups performed are locally encrypted prior to being sent offsite. This ensures your files cannot be affected. The ransomware will not be able to access your files with it's cipher.

Network share permissions should be reviewed for all user accounts and a GPO should be put in place to deny executible processes from running in %AppData% and %LocalAppData .

 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/29/2014 | 3:05:14 PM
Re: What should enterprises do when faced with ransomware?
As much as I would like to say there isn't a situation in which you should pay the ransom, since doing so encourages the attackers, but that isn't always the case.  Until recently, most of the computers that I dealt with which were infected with Cryptowall have all had backups.  A few months ago a user's PC was infected and she didn't have a backup and to make matters worse her PC contained the all the financial documents for the organization.  Losing that data would have been devastating to her small business so I advised her to pay the ransom of $400 to get the data back.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/29/2014 | 2:55:59 PM
Re: What should enterprises do when faced with ransomware?
Very good questions. I have just recently dealt with ransomware and have experience in dealing with both sets of questions. However unfortunately Marilyn I would not want to alienate any organizations regarding your question so I will be ambiguous in your answer and say yes. Luckily my current organization has never dealt in such matters but I know of ones that have.

@DarkReadingTim, I would say no to , "are there situations where instituations consider paying the ransom" and here is why. Ransomware and restricting local areas shouldn't be a factor. It should be dictated in your enterprises policy and for best business practice that all data be stored on mapped drives. Stored in a data center and backed up to other servers. In this way for ransomware and physical theft, you are not in trouble of losing your data and don't find yourself in that situation.

You have the right to call law enforcement regarding these situations however I am not certain as to the success percentage of discovering the perpetrator. Before you do anything document everything done to the machine. Logging is critical before law enforcement should get involved. (Senior professionals should be the ones investigating)

Lastly, as stated above, I believe this should be set by policy. Policies are the foundation to information security. Before pursuing any endeavor, policy is the first item that should be set.

Thats just one InfoSec Professionals opinion, does anyone have a different outlook that could provide an outside perspective?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/29/2014 | 10:41:54 AM
Re: What should enterprises do when faced with ransomware?
Those are great questions, @DarkReadingTim. I've got one to add (and I doubt that anyone will answer), but here goes: Isn't it likely that companies that do pay a ransom would not publicize the fact -- so as not to encourgage more ransomware threats?
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 9:59:00 AM
What should enterprises do when faced with ransomware?
I'm interested to hear what security professionals advise when faced with ransomware infections such as those outlined in the story. Are there situations when they should consider paying the ransom? What are the implications for their data if they call in law enforcement? Is this something an enterprise can set a policy on, or is it really decided on a case-by-case basis?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.