Endpoint

10/29/2015
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

With $325 Million In Extorted Payments CryptoWall 3 Highlights Ransomware Threat

Study by Cyber Threat Alliance reveals sophisticated nature of the latest version of CryptoWall

A new report from the Cyber Threat Alliance (CTA) on the latest version of the CryptoWall malware family helps illustrate why ransomware has emerged as one of the biggest threats to web users in recent times.

Since researchers first sported CryptoWall Version 3 (CW3) in January this year, the ransomware has been used to extort a staggering $325 million from tens of thousands of victims worldwide. The victims include both businesses and individuals, many of whom are based in North America.

The CTA, an eight-vendor coalition that includes Fortinet, Intel Security, Palo Alto Networks, and Symantec, said its review of CW3 revealed some 407,000 attempted infections worldwide since the beginning of this year. Security researchers from the CTA’s member organizations also discovered a total of 4,046 malware samples, 839 command-and-control URLs, five second-tier IP addresses and 49 campaign code identifiers associated with the malware.

The CTA report is an attempt by the alliance to show how threat intelligence sharing and collaboration among vendors can help bolster industry-wide cybersecurity.

According to the CTA, CryptoWall 3 is being primarily distributed through phishing emails and exploit kits. In about two-thirds of the attempted infections, victims received a phishing email with an attachment titled "internal," "fax," "invoice" or some other similarly innocuous name. More recently, cyber attackers have begun using well-known exploit kits like Angler to distribute CryptoWall 3 to victim systems, the CTA researchers said. Angler is designed to inject payloads like CW3 directly into the victim systems’ memory in completely encrypted fashion to avoid detection and removal by anti-malware tools.

The details around CW3 point to the size and scope of the ransomware problem.

Ransomware is basically malware that attackers have been using with increasing frequency to extort money from victims by first encrypting all data on their systems and then demanding a ransom in return for the encryption key.

Attackers typically require victims to pay up in Bitcoins through pay sites set up primarily to collect the ransoms. As the CTA report notes, ransom amounts typically range from a few hundred dollars to over one thousand dollars. Ransom amounts can change and often even double based on how long it takes for the victim to pay up. Typically, victims get the decryption key once the ransom has been paid.

The CryptoWall ransomware family is just one in a growing collection of tools being used to extort money from victims. Older examples include CryptoLocker and TorrentLocker.

Security researchers consider ransomware to be a particularly pernicious problem because of how difficult it is for victims to recover their encrypted data without first paying up. The sophisticated encryption employed by CryptoWall and other ransomware is hard to break, so unless victims have a backup of their data the only option often is to pay up or lose the data.

The technology employed in CW3 demonstrates the high level of skill employed in building such tools says Rick Howard, chief security officer at Palo Alto Networks. “The evolution from Version 1 to version 3 is worthy of any legitimate development in the corporate world,” he says. “The complexity within obfuscation levels in both the Command and Control infrastructure and the Bitcoin payment infrastructure will make your head spin. Script kiddies do not do this,” Howard says.

In order for the business model to work, ransomware purveyors need a mature back office infrastructure, he said. “Essentially you need a world class customer support service to handle customer questions about the technical process for payment and decryption,” Howard said, pointing to the sophisticated nature of the ransomware ecosystem.

According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. “Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it.”

The FBI, which has been tracking the problem and warning businesses regularly about the seriousness of the threat, found itself in hot water recently after even one of its own agents was reported as saying that the best option for victims without a data backup might be to just pay up.

The recent emergence of malware services that allow almost anyone to buy and deploy ready-to-use ransomware kits against targets of their choice has sparked concerns of a potential commoditization of the threat in future.

The threat is often thought of as a consumer issue, but businesses are equally vulnerable to ransomware. Richard Stiennon, chief research analyst at IT-Harvest says ransomware has emerged as a top of mind issue for chief information security officers. “It is their number one fear,” he said. “There’s nothing that invokes a crisis like an executive with an infected system and all their data encrypted,” he says.

Despite vendor claims about the enormous ransom amounts being collected through such malware, its hard to know for sure how many of the victims are actually paying up and how much, Stiennon says. But given the growth in ransomware, there’s little doubt that cyber criminals are profiting enormously from it, he says.

In most cases, ransomware targets are just victims of opportunity, he adds. To mitigate the threat, the best strategy is to maintain proper data backups and to ensure that systems are properly updated and patched.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
100%
0%
theb0x,
User Rank: Ninja
11/4/2015 | 3:03:56 PM
Re: Back up your data!
There is a more simpler solution to protecting your data other than just backups.

Encrypt your data. CryptoWall can't encrypt files that are already encrypted by the end user.

The data can be decrypted on access which would lock the files currently opened. When the file is closed it is

automatically re-encrypted in realtime. As an extra layer of security it is also possible to encrypt volume shadow

copies of the files as the behavior of CryptoWall will automatically sdelete (Secure Delete) all shadow copy data

on the infected machine. I am no way suggesting not to backup your data. However, a proper retention policy

should also be correctly set to seven or more days. If a backup whether it be to a local, network drive, or cloud

based is not encrypted there remains the risk of the files being encrypted by the ransomware and changes of

modified files by CryptoWall propagating and overwriting the original backup of end user data. Also, CrytoWall

only affects files by extention (ie .docx, .qbw, .xlsx) If a file extention is modified to something completely

obscure in no relation with any application they will remain unaffected by this ransomware. 
SgS125
50%
50%
SgS125,
User Rank: Ninja
11/2/2015 | 10:51:53 AM
accuracy of amount in question?
According to Howard, the researchers were able to track $325 million in ransom payments through the Bitcoin system. "Our estimate is conservatively low. We think it could easily be double that number but did not have the direct evidence to claim it."

 

So really you could say that is was only half as much with just as much confidence?

I often wonder where the numbers for this come from,  a guess may not be very newsworthy.

What evidence is there to prove it one way or another?
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/31/2015 | 5:00:34 PM
Enterprise Level
How prevalent is Ransomware at the enterprise level with network drives? Are they affected in the same way a regular endpoint will be?
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/31/2015 | 4:59:14 PM
Back up your data!
Please people, perform due diligence and don't let ransomware cripple us. Back up your data to a another source regularly. Make sure your OS has default backup settings enabled such as Windows "Previous Versions". This could save tons of money and headaches.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.