CryptoWall might have been just a CryptoLocker wannabe a few months ago, but since CryptoLocker went down with the GameOver ZeuS ship in June, CryptoWall has taken its place as the top ransomware on the market, according to a new report.
Like similar ransomware, CryptoWall infects an endpoint, encrypts users' files, and demands payment from those who want access to those files. CryptoWall can get its hands on hard disks, removable drives, network drives, and even cloud storage services that are mapped to a targeted file system.
CryptoWall is neither as technologically sophisticated nor as profitable as CryptoLocker, but it has infected more systems, and it's earned a cool million for its operators so far. Dell SecureWorks' Counter Threat Unit says in a new threat intelligence report that its researchers "consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing."
CryptoWall has infected approximately 625,000 systems worldwide -- 80,000 more than CryptoLocker. According to Dell SecureWorks, every nation in the world has at least one victim, but more than 250,000 are in the United States.
CryptoWall has encrypted 5.25 billion files. To retrieve their files, victims generally pay ransoms ranging from $200 to $2,000 apiece, but one unfortunate person paid $10,000. Over the course of six months, the CryptoWall operators convinced 1,683 victims to pay up and made $1,101,900 in ransoms.
This is rather a small haul when compared to CryptoLocker, which made $27 million in its first two months. Researchers have a few theories as to why CryptoWall is less profitable.
For one thing, it does not provide enough payment options. CryptoLocker accepted bitcoins and MoneyPak, but CryptoWall takes only bitcoins, so it's more difficult for victims to hand over the dough.
CryptoWall may have the price point wrong. It asks for a higher average price from each individual than CryptoLocker did. Also, CryptoWall isn't as well connected as CryptoLocker, which had access to the GameOver ZeuS gang's cashout and laundering services.
It is also not as technologically sophisticated. Before it can encrypt any files on or mapped to the machine it's infected, CryptoWall must call back to its command-and-control server to retrieve a RSA public key. Therefore, blocking that initial communication with the C2 server will prevent the ransomware from ever holding anything for ransom -- and this C2 system is "unremarkable," according to SecureWorks.
"Unlike other prevalent malware families, CryptoWall does not use advanced techniques such as domain generation algorithms or fast-flux DNS," the report said. Nevertheless, "while neither the malware nor infrastructure of CryptoWall is as sophisticated as that of CryptoLocker, the threat actors have demonstrated both longevity and proficiency in distribution."
CryptoWall has used the Cutwail botnet to spread through malicious email attachments and malicious download links -- sometimes to the Upatre downloader and other times to legitimiate cloud hosting providers like DropBox and MediaFire. It's also spread through the Angler, RIG, and Infinity exploit kits.
Researchers have seen similarities between CryptoWall and the Tobfy ransomware family. This suggests that the threat actors for both are the same or are related.
"The threat actors behind this malware have several years of successful cybercrime experience and have demonstrated a diversity of distribution methods," the report said. "As a result, CTU researchers expect this threat will continue to grow."